[rsbac] new features

Amon Ott ao at rsbac.org
Wed Nov 3 09:48:46 CET 2004

On Dienstag, 2. November 2004 16:41, Michal Purzynski wrote:
> On Tue, 2 Nov 2004, Andrea Pasquinucci wrote:
> > - rsbac_softmode_noback
> >   this will be like rsbac_softmode, that is boot in softmode, but 
> >   softmode has been turned off, it cannot be turned on again for 
> >   uptime of the machine

I would call it rsbac_softmode_once and have no problem with this 
feature - no need to use it, if you do not like it.

> > - rsbac_secoff_disabled
> >   this is probably more tricky, any RSBAC configuration should be
> >   disallowed in secure mode, tools and /proc could be read_only 
but not
> >   allow to change any RSBAC configuration, moreover this should 
> >   only when softmode is off, when softmode is on secoff should 
work as
> >   usual
> in fact there are ways you could fix rsbac configuration, but not 
for one
> boot only. but supose you need to make changes in policy, you would 
> to restart machine to do it.

If softmode is on, any user can change the configuration - this is 
what makes softmode so dangerous, but at least you get log entries. 

Just remove all administration rights and you are ready for your 
szenario. This means that you do not need a disable_secoff in this 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname   : nicht verf?gbar
Dateityp    : application/pgp-signature
Dateigr??e  : 189 bytes
Beschreibung: signature
URL         : http://www.rsbac.org/pipermail/rsbac/attachments/20041103/c85a2b57/attachment.bin

More information about the rsbac mailing list