[rsbac] Boot Role (RC module)

ali valizadeh valizadeh82 at yahoo.com
Tue Aug 16 22:09:06 CEST 2011 


Hi everyone,

I have installed the rsbac 1.4.3 version on Fedora 12 (kernel version 2.6.32-8). In my compilation AUTH and RC is enabled.

Yes, I boot system with rsbac_softmode to configure the system at first boot. I could set policy for AUTH to remove the "NOT_GRANTED by AUTH (softmode)" but I couldn't set correct policy for RC to remove "NOT_GRANTED by RC (softmode)" messages.
I want to set policy for RC module in softmode then I want to boot system in enforcement mode without the softmode parameter.
Please help me to use boot role or other roles (if boot role is insecure) to boot system in enforcement mode. Please help me how to set roles (initial or force roles) for init, dbus-daemon, avahi-daemon, hal-daemon and other processes to boot system correctly.

Many thanks to all.

Regards,
Ali




________________________________
From: "rsbac-request at rsbac.org" <rsbac-request at rsbac.org>
To: rsbac at rsbac.org
Sent: Tuesday, August 16, 2011 9:31 PM
Subject: rsbac Digest, Vol 61, Issue 1


>Hello all,

>I have compiled RSBAC kernel with RC and AUTH modules enabled. I could set AUTH policy to boot system with it (RC is in >softmode). However I couldn't boot system with RC. I have checked that at boot time /sbin/init contains the Boot Role (999999) as >initial_role but the system couldn't boot with the role. There are many "NOT_GRANTED by RC" in processes such as dbus-daemon, >avahi-daemon, hal-daemon and others. If init process is the parent of other processes, and RSBAC system support inheritance, why the > other processes can't get Boot Role (in my test the role of other processes is General user (0) and I expect it to be Boot Role!)?

> Please help me to boot system with the Boot Role (999999). Thanks in advance for your help.


> Regards,
> Ali

------------------------------

Message: 6
Date: Mon, 15 Aug 2011 23:11:23 +0200
From: Javier Juan Mart?nez Cabez?n <tazok.id0 at gmail.com>
To: RSBAC Discussion and Announcements <rsbac at rsbac.org>
Subject: Re: [rsbac] Boot Role
Message-ID:
    <CAD98N_GfDjaw=fu0Pj6Q=yRZW-36hw=9bHRTm5u3xNu=wSV2kA at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

If the message is exactly this (NOT GRANTED by RC), RC is not in softmode,
secure mode instead (in global softmode you would see NOT GRANTED (softmode)
by RC. Add boot parameter rsbac_softmode/ rsbac_softmode_rc to your
grub/lilo to switch in softmode.

I don't remember default values of init, but you could check the default
values of the binaries and the /sbin/init it self together with the boot
role parameters definition to check what's up, the reason of the change you
will found in there.

This is at this way because security concerns, nobody (no daemons, no initrd
scripts etc) should run with boot role, maybe you should create their own
roles to this binaries and make them running under them isolating all you
can.

By default in RC there is inheritance in until a setuid or exec is done if
it's happened then could exist triggers to change the new rol. Check above.

You should check this too, take a look:
http://www.rsbac.org/documentation/rsbac_handbook/

Furthermore you should add some more information, as which distribution do
you use, version of rsbac and things like this because between others this
parameters by default may change between versions.

2011/8/15 ali valizadeh <valizadeh82 at yahoo.com>

> Hello all,
>
> I have compiled RSBAC kernel with RC and AUTH modules enabled. I could set
> AUTH policy to boot system with it (RC is in softmode). However I couldn't
> boot system with RC. I have checked that at boot time /sbin/init contains
> the Boot Role (999999) as initial_role but the system couldn't boot with the
> role. There are many "NOT_GRANTED by RC" in processes such as dbus-daemon,
> avahi-daemon, hal-daemon and others. If init process is the parent of other
> processes, and RSBAC system support inheritance, why the other processes
> can't get Boot Role (in my test the role of other processes is General user
> (0) and I expect it to be Boot Role!)?
>
> Please help me to boot system with the Boot Role (999999). Thanks in
> advance for your help.
>
>
> Regards,
> Ali
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
>


------------------------------

Message: 7
Date: Mon, 15 Aug 2011 23:25:03 +0200
From: Jens Kasten <jens at kasten-edv.de>
To: RSBAC Discussion and Announcements <rsbac at rsbac.org>
Subject: Re: [rsbac] Boot Role
Message-ID: <1313443503.13473.14.camel at jaschtschik-malo>
Content-Type: text/plain; charset="UTF-8"

Hi Ali,

your info about RC looks that is not running in softmode.
Only boot a kernel with softmode enabled in the configuration not
automatic boot in softmode.
There is a kernel boot paramter rsbac_softmode.
If you already set it then maybe check the kernel configuration for
rsbac twice. 
More information about which kernel- and rsbac version would helpfull
but not lead automatic to success in this case ;)

In my case i would avoid to use the Boot Role and General Role for all
services.

Gr??e
Jens


Am Montag, den 15.08.2011, 12:10 -0700 schrieb ali valizadeh:
> Hello all,
> 
> I have compiled RSBAC kernel with RC and AUTH modules enabled. I could set AUTH policy to boot system with it (RC is in softmode). However I couldn't boot system with RC. I have checked that at boot time /sbin/init contains the Boot Role (999999) as initial_role but the system couldn't boot with the role. There are many "NOT_GRANTED by RC" in processes such as dbus-daemon, avahi-daemon, hal-daemon and others. If init process is the parent of other processes, and RSBAC system support inheritance, why the other processes can't get Boot Role (in my test the role of other processes is General user (0) and I expect it to be Boot Role!)?
> 
> Please help me to boot system with the Boot Role (999999). Thanks in advance for your help.
> 
> 
> Regards,
> Ali
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac




------------------------------

Message: 8
Date: Tue, 16 Aug 2011 00:12:20 +0200
From: Javier Juan Mart?nez Cabez?n <tazok.id0 at gmail.com>
To: RSBAC Discussion and Announcements <rsbac at rsbac.org>
Subject: Re: [rsbac] Boot Role
Message-ID:
    <CAD98N_Hbvgx83GcTRKAiNLX+fKp1tUdZSnQdyVaSn2jY-AwMjA at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I think it's the key of this question because if I'm not wrong inherited
mixed proc/user parameter is not the switch by default now.

2011/8/15 Jens Kasten <jens at kasten-edv.de>

>
> More information about which kernel- and rsbac version would helpfull
> but not lead automatic to success in this case ;)
>
> In my case i would avoid to use the Boot Role and General Role for all
> services.
>
> Gr??e
> Jens
>
>
> Am Montag, den 15.08.2011, 12:10 -0700 schrieb ali valizadeh:
> > Hello all,
> >
> > I have compiled RSBAC kernel with RC and AUTH modules enabled. I could
> set AUTH policy to boot system with it (RC is in softmode). However I
> couldn't boot system with RC. I have checked that at boot time /sbin/init
> contains the Boot Role (999999) as initial_role but the system couldn't boot
> with the role. There are many "NOT_GRANTED by RC" in processes such as
> dbus-daemon, avahi-daemon, hal-daemon and others. If init process is the
> parent of other processes, and RSBAC system support inheritance, why the
> other processes can't get Boot Role (in my test the role of other processes
> is General user (0) and I expect it to be Boot Role!)?
> >
> > Please help me to boot system with the Boot Role (999999). Thanks in
> advance for your help.
> >
> >
> > Regards,
> > Ali
> > _______________________________________________
> > rsbac mailing list
> > rsbac at rsbac.org
> > http://www.rsbac.org/mailman/listinfo/rsbac
>
>
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
>


------------------------------

Message: 9
Date: Tue, 16 Aug 2011 09:54:33 -0700
From: "Gergely =?UTF-8?Q?L=C3=B3nyai?=" <aleph at mandriva.org>
To: rsbac at rsbac.org
Subject: [rsbac] kernel-3.0.y
Message-ID:
    <20110816095433.9b05b4e5e48d18b6dc565714b379f9f0.a8cd6efa9e.wbe at email10.secureserver.net>
    
Content-Type: text/plain; charset="utf-8"

Hi

The Mandriva 20011 is RSBAC ready now. I submit the kernel-rsbac-3.0.1
and will maintain all the Mandriva 2011 lifetime.

1. Install Mandriva 2011 (now Mandriva 2011 RC2)
2. open a konsole and run "urpmi rsbac"
3.
http://www.rsbac.org/documentation/rsbac_handbook/installation/first_boot

Gergely Lonyai, Aleph



------------------------------

_______________________________________________
rsbac mailing list
rsbac at rsbac.org
https://www.rsbac.org/mailman/listinfo/rsbac

End of rsbac Digest, Vol 61, Issue 1
************************************

More information about the rsbac mailing list