[rsbac] ssh rc-role

[tazok]

2006/8/23, jens <jens at igraltist.dyndns.org>:
> hi
> you mean this can solve the problem?

Well, I think so. However, before you make any kind of changes which
could be security/stability relevant you should first test it many
times in other machine (one in you have physical access for example
and belongs to you), and only apply them in the oficial server if you
certainly know it wont break your system.

> for me, i will rent a server for let running apache and postfix there.
> for this machine i have only ssh access.
> some webinterface for reboot mayby.
> for e.g., when the a rsbac-kernel is booting then bevor granting anything,
> setup rc-roles and rc-types.
> from now all are running under the same rc-role. only the bootproccess has its
> one.
> when this rc_inerhit_mixed work, mayby then is better from the beginning
> use this role_inherit_mixed.
> all the time the rc-role for the ssh will be used for look for the systim if
> all right and also use from normal user-account.

I believe remembering one thing that someone wrote somewhere time
ago(maybe in an article, one mail in the mailing list or something
else), one bad security policy could be worse than haven't nothing (I
don't remember who said that)
One behaviour of granting all should be particularly discouraged in
production systems, and in all systems into a network.

The role_inherit_mixed_up I think is the behaviour by default in the
RC model (as you can see in their documentation), and probably used
for all login based programs.