[rsbac] RC Boot Role
Amon Ott
ao at rsbac.org
Thu Jan 26 08:46:24 CET 2006
On Mittwoch 25 Januar 2006 20:16, Chirag Pandya wrote:
> I'm trying to understand the "RC Boot Role" more carefully so that I
> can prevent root from adding/editing init scripts.
> Here is my understanding so far:
> 1. Set /etc/init.d type to something other than 2 (System Admin).
> Let's say I set it to type 999999
> 2. Allow ROLE 999999 to read and run objects of type 999999
> 3. Set ROLE 2's compatibility with type 999999 to include no
WRITE/EDIT rights.
> 4. Set boot_role = 1 for ROLE 999999 and boot_role = 0 for ROLE 2.
>
> Is this the intended use of this role?
Yes, this is a way to do it. I usually have a separate force_role
"system init" at /etc/init.d/rc, too, to make sure that the start
scripts do not use the boot role - this way, only kernel threads and
init have the boot role.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list