[rsbac] MAC: request MODIFY_SYSTEM_DATA, target NETDEV

kang kang at rsbac.org
Tue Jan 13 17:35:30 CET 2009


Gergely Lónyai wrote:
> Hi,
>
> This kernel would have the Mandriva's "official" RSBAC kernel. :-(
> I droping a modul from this kernel?
>
> Aleph
>   

As a generic kernel, I wouldn't recommand the MAC module. It's too
complicated. Also having all modules on means more performance penality.

Please review:
http://www.rsbac.org/documentation/rsbac_handbook/configuration_basics/selecting_models
to select the modules you need.

A solution might be to enable e.g.:
AUTH, RC, JAIL, CAP, PAX (if the kernel has pax only!), DAZ (if mandriva
provides on access scanners only!), FF, RES, UM

Have these policies switchables (meaning, can be enabled/disabled)

Then at startup have a script that can select which modules you desire.
So casual desktop users only load AUTH, FF, JAIL CAP maybe, or AUTH, RC,
JAIL, CAP

Make sure only this script can do this at startup, of course. I'd like
to stress that this not the best idea if "pure security" is the
objective, but it provide easier setup for different users
(security/ease trade off :P)

Remember that these are just examples, it all depends on your goals :)

kang


More information about the rsbac mailing list