[rsbac] new features
Amon Ott
ao at rsbac.org
Wed Nov 3 09:48:46 CET 2004
On Dienstag, 2. November 2004 16:41, Michal Purzynski wrote:
> On Tue, 2 Nov 2004, Andrea Pasquinucci wrote:
>
> > - rsbac_softmode_noback
> > this will be like rsbac_softmode, that is boot in softmode, but
once
> > softmode has been turned off, it cannot be turned on again for
the
> > uptime of the machine
I would call it rsbac_softmode_once and have no problem with this
feature - no need to use it, if you do not like it.
> > - rsbac_secoff_disabled
> > this is probably more tricky, any RSBAC configuration should be
> > disallowed in secure mode, tools and /proc could be read_only
but not
> > allow to change any RSBAC configuration, moreover this should
apply
> > only when softmode is off, when softmode is on secoff should
work as
> > usual
> in fact there are ways you could fix rsbac configuration, but not
for one
> boot only. but supose you need to make changes in policy, you would
have
> to restart machine to do it.
If softmode is on, any user can change the configuration - this is
what makes softmode so dangerous, but at least you get log entries.
Just remove all administration rights and you are ready for your
szenario. This means that you do not need a disable_secoff in this
case.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname : nicht verf?gbar
Dateityp : application/pgp-signature
Dateigr??e : 189 bytes
Beschreibung: signature
URL : http://www.rsbac.org/pipermail/rsbac/attachments/20041103/c85a2b57/attachment.bin
More information about the rsbac
mailing list