[rsbac] RSBAC (jail) vs vserver (or other VPS)

sftf at yandex.ru sftf at yandex.ru
Wed Jun 13 08:36:47 CEST 2007

  Please, prompt me, what is "better" for implementing secure http service (apache) -
  RSBAC (with jail) or vserver in terms of:
  - breakability
  - isolation from other parts of the system
  - simplicity of implementing clear and secure configuration (very important)

My last experience with RSBAC has shown that a RSBAC difficultly to configure because of
of a plenty application parameters which need to be taken into account at the same time
(files, devices, processes, resources...).
Moreover, introduction of a Role Compatibility in production server, affects whole system
(all daemons for example) and compels to configure tens of roles with hundreds of rules.
It results in necessity to use ldd, strace, lsof, log analyzing and so on.
And all the same there is no confidence, that all daemons operating modes are traced and
there will be no problems in the future.

But there are useful features which is in RSBAC and which are not present in vserver(correct me):
- /dev/kmem protection
- power logging
- user managment

Whether something has changed in sense of clear, secure, fast configuration in RSBAC?

Any advices/information will be very appreciated.


More information about the rsbac mailing list