[rsbac] todo list item

Magosányi Árpád mag at bunuel.tii.matav.hu
Fri Mar 5 08:39:09 CET 2004

A levelezőm azt hiszi, hogy Amon Ott a következőeket írta:
> I disagree here. JAIL is meant to be a fast and simple encapsulation for 
> most cases. It should be strict by default (except for chroot, because it 
> requires CAP_CHROOT capability) with optional exceptions. If you need a 
> hand crafted solution, use the other modules.

I agree with you in your opinion that it should be strict by default.

But jail have features other models don't. For example the unique IP
address of the jail. If you want that feature, you should use jail.
But if you use jail, there are other restrictions which in some cases
means you cannot use it. 
So if you need one feature of jail, but blocked by another one,
you are in trouble. This is the case with ntpd, this is my case with
X, and I am sure that there are others out there with similar
problematic setups.

> Sure most of the functionality could be covered by the other modules, but 
> those take more work to setup. There is a lot of redundancy between RSBAC 
> models - each model might give you another approach to solve the same 
> problems. Together they are stronger than each single one.

Sure, a strength of rsbac is its rich offer of different security
modules. The problem that these models are not orthogonal.
You know, the good old unix approach: we have tools which do
only one thing, but do it well, and we have a common approach
to make these tools work together well.

GNU GPL: csak tiszta forrásból

More information about the rsbac mailing list