[rsbac] Boot Role
Javier Juan Martínez Cabezón
tazok.id0 at gmail.com
Mon Aug 15 23:11:23 CEST 2011
If the message is exactly this (NOT GRANTED by RC), RC is not in softmode,
secure mode instead (in global softmode you would see NOT GRANTED (softmode)
by RC. Add boot parameter rsbac_softmode/ rsbac_softmode_rc to your
grub/lilo to switch in softmode.
I don't remember default values of init, but you could check the default
values of the binaries and the /sbin/init it self together with the boot
role parameters definition to check what's up, the reason of the change you
will found in there.
This is at this way because security concerns, nobody (no daemons, no initrd
scripts etc) should run with boot role, maybe you should create their own
roles to this binaries and make them running under them isolating all you
can.
By default in RC there is inheritance in until a setuid or exec is done if
it's happened then could exist triggers to change the new rol. Check above.
You should check this too, take a look:
http://www.rsbac.org/documentation/rsbac_handbook/
Furthermore you should add some more information, as which distribution do
you use, version of rsbac and things like this because between others this
parameters by default may change between versions.
2011/8/15 ali valizadeh <valizadeh82 en yahoo.com>
> Hello all,
>
> I have compiled RSBAC kernel with RC and AUTH modules enabled. I could set
> AUTH policy to boot system with it (RC is in softmode). However I couldn't
> boot system with RC. I have checked that at boot time /sbin/init contains
> the Boot Role (999999) as initial_role but the system couldn't boot with the
> role. There are many "NOT_GRANTED by RC" in processes such as dbus-daemon,
> avahi-daemon, hal-daemon and others. If init process is the parent of other
> processes, and RSBAC system support inheritance, why the other processes
> can't get Boot Role (in my test the role of other processes is General user
> (0) and I expect it to be Boot Role!)?
>
> Please help me to boot system with the Boot Role (999999). Thanks in
> advance for your help.
>
>
> Regards,
> Ali
> _______________________________________________
> rsbac mailing list
> rsbac en rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
>
More information about the rsbac
mailing list