[rsbac] Boot Role (RC module)

Jens Kasten jens at kasten-edv.de
Tue Aug 16 22:43:49 CEST 2011 

You could visit this site:
http://www.rsbac.org/wiki/experiences/igraltist/rc

This is my try to start RSBAC RC setup.
The wiki is not complete and have to update.

Here also older wiki which described how to setup RC Roles
http://www.rsbac.org/wiki/experiences/telmich

And this:
http://www.rsbac.org/wiki/experiences/tweety#howto_protect_kernel_code_against_tampering




Am Dienstag, den 16.08.2011, 13:09 -0700 schrieb ali valizadeh:
> 
> Hi everyone,
> 
> I have installed the rsbac 1.4.3 version on Fedora 12 (kernel version 2.6.32-8). In my compilation AUTH and RC is enabled.
> 
> Yes, I boot system with rsbac_softmode to configure the system at first boot. I could set policy for AUTH to remove the "NOT_GRANTED by AUTH (softmode)" but I couldn't set correct policy for RC to remove "NOT_GRANTED by RC (softmode)" messages.
> I want to set policy for RC module in softmode then I want to boot system in enforcement mode without the softmode parameter.
> Please help me to use boot role or other roles (if boot role is insecure) to boot system in enforcement mode. Please help me how to set roles (initial or force roles) for init, dbus-daemon, avahi-daemon, hal-daemon and other processes to boot system correctly.
> 
> Many thanks to all.
> 
> Regards,
> Ali
> 
> 
> 
> 
> ________________________________
> From: "rsbac-request at rsbac.org" <rsbac-request at rsbac.org>
> To: rsbac at rsbac.org
> Sent: Tuesday, August 16, 2011 9:31 PM
> Subject: rsbac Digest, Vol 61, Issue 1
> 
> 
> >Hello all,
> 
> >I have compiled RSBAC kernel with RC and AUTH modules enabled. I could set AUTH policy to boot system with it (RC is in >softmode). However I couldn't boot system with RC. I have checked that at boot time /sbin/init contains the Boot Role (999999) as >initial_role but the system couldn't boot with the role. There are many "NOT_GRANTED by RC" in processes such as dbus-daemon, >avahi-daemon, hal-daemon and others. If init process is the parent of other processes, and RSBAC system support inheritance, why the > other processes can't get Boot Role (in my test the role of other processes is General user (0) and I expect it to be Boot Role!)?
> 
> > Please help me to boot system with the Boot Role (999999). Thanks in advance for your help.
> 
> 
> > Regards,
> > Ali
> 
> ------------------------------
> 
> Message: 6
> Date: Mon, 15 Aug 2011 23:11:23 +0200
> From: Javier Juan Mart?nez Cabez?n <tazok.id0 at gmail.com>
> To: RSBAC Discussion and Announcements <rsbac at rsbac.org>
> Subject: Re: [rsbac] Boot Role
> Message-ID:
>     <CAD98N_GfDjaw=fu0Pj6Q=yRZW-36hw=9bHRTm5u3xNu=wSV2kA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> If the message is exactly this (NOT GRANTED by RC), RC is not in softmode,
> secure mode instead (in global softmode you would see NOT GRANTED (softmode)
> by RC. Add boot parameter rsbac_softmode/ rsbac_softmode_rc to your
> grub/lilo to switch in softmode.
> 
> I don't remember default values of init, but you could check the default
> values of the binaries and the /sbin/init it self together with the boot
> role parameters definition to check what's up, the reason of the change you
> will found in there.
> 
> This is at this way because security concerns, nobody (no daemons, no initrd
> scripts etc) should run with boot role, maybe you should create their own
> roles to this binaries and make them running under them isolating all you
> can.
> 
> By default in RC there is inheritance in until a setuid or exec is done if
> it's happened then could exist triggers to change the new rol. Check above.
> 
> You should check this too, take a look:
> http://www.rsbac.org/documentation/rsbac_handbook/
> 
> Furthermore you should add some more information, as which distribution do
> you use, version of rsbac and things like this because between others this
> parameters by default may change between versions.
> 
> 2011/8/15 ali valizadeh <valizadeh82 at yahoo.com>
> 
> > Hello all,
> >
> > I have compiled RSBAC kernel with RC and AUTH modules enabled. I could set
> > AUTH policy to boot system with it (RC is in softmode). However I couldn't
> > boot system with RC. I have checked that at boot time /sbin/init contains
> > the Boot Role (999999) as initial_role but the system couldn't boot with the
> > role. There are many "NOT_GRANTED by RC" in processes such as dbus-daemon,
> > avahi-daemon, hal-daemon and others. If init process is the parent of other
> > processes, and RSBAC system support inheritance, why the other processes
> > can't get Boot Role (in my test the role of other processes is General user
> > (0) and I expect it to be Boot Role!)?
> >
> > Please help me to boot system with the Boot Role (999999). Thanks in
> > advance for your help.
> >
> >
> > Regards,
> > Ali
> > _______________________________________________
> > rsbac mailing list
> > rsbac at rsbac.org
> > http://www.rsbac.org/mailman/listinfo/rsbac
> >
> 
> 
> ------------------------------
> 
> Message: 7
> Date: Mon, 15 Aug 2011 23:25:03 +0200
> From: Jens Kasten <jens at kasten-edv.de>
> To: RSBAC Discussion and Announcements <rsbac at rsbac.org>
> Subject: Re: [rsbac] Boot Role
> Message-ID: <1313443503.13473.14.camel at jaschtschik-malo>
> Content-Type: text/plain; charset="UTF-8"
> 
> Hi Ali,
> 
> your info about RC looks that is not running in softmode.
> Only boot a kernel with softmode enabled in the configuration not
> automatic boot in softmode.
> There is a kernel boot paramter rsbac_softmode.
> If you already set it then maybe check the kernel configuration for
> rsbac twice. 
> More information about which kernel- and rsbac version would helpfull
> but not lead automatic to success in this case ;)
> 
> In my case i would avoid to use the Boot Role and General Role for all
> services.
> 
> Gr??e
> Jens
> 
> 
> Am Montag, den 15.08.2011, 12:10 -0700 schrieb ali valizadeh:
> > Hello all,
> > 
> > I have compiled RSBAC kernel with RC and AUTH modules enabled. I could set AUTH policy to boot system with it (RC is in softmode). However I couldn't boot system with RC. I have checked that at boot time /sbin/init contains the Boot Role (999999) as initial_role but the system couldn't boot with the role. There are many "NOT_GRANTED by RC" in processes such as dbus-daemon, avahi-daemon, hal-daemon and others. If init process is the parent of other processes, and RSBAC system support inheritance, why the other processes can't get Boot Role (in my test the role of other processes is General user (0) and I expect it to be Boot Role!)?
> > 
> > Please help me to boot system with the Boot Role (999999). Thanks in advance for your help.
> > 
> > 
> > Regards,
> > Ali
> > _______________________________________________
> > rsbac mailing list
> > rsbac at rsbac.org
> > http://www.rsbac.org/mailman/listinfo/rsbac
> 
> 
> 
> 
> ------------------------------
> 
> Message: 8
> Date: Tue, 16 Aug 2011 00:12:20 +0200
> From: Javier Juan Mart?nez Cabez?n <tazok.id0 at gmail.com>
> To: RSBAC Discussion and Announcements <rsbac at rsbac.org>
> Subject: Re: [rsbac] Boot Role
> Message-ID:
>     <CAD98N_Hbvgx83GcTRKAiNLX+fKp1tUdZSnQdyVaSn2jY-AwMjA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> I think it's the key of this question because if I'm not wrong inherited
> mixed proc/user parameter is not the switch by default now.
> 
> 2011/8/15 Jens Kasten <jens at kasten-edv.de>
> 
> >
> > More information about which kernel- and rsbac version would helpfull
> > but not lead automatic to success in this case ;)
> >
> > In my case i would avoid to use the Boot Role and General Role for all
> > services.
> >
> > Gr??e
> > Jens
> >
> >
> > Am Montag, den 15.08.2011, 12:10 -0700 schrieb ali valizadeh:
> > > Hello all,
> > >
> > > I have compiled RSBAC kernel with RC and AUTH modules enabled. I could
> > set AUTH policy to boot system with it (RC is in softmode). However I
> > couldn't boot system with RC. I have checked that at boot time /sbin/init
> > contains the Boot Role (999999) as initial_role but the system couldn't boot
> > with the role. There are many "NOT_GRANTED by RC" in processes such as
> > dbus-daemon, avahi-daemon, hal-daemon and others. If init process is the
> > parent of other processes, and RSBAC system support inheritance, why the
> > other processes can't get Boot Role (in my test the role of other processes
> > is General user (0) and I expect it to be Boot Role!)?
> > >
> > > Please help me to boot system with the Boot Role (999999). Thanks in
> > advance for your help.
> > >
> > >
> > > Regards,
> > > Ali
> > > _______________________________________________
> > > rsbac mailing list
> > > rsbac at rsbac.org
> > > http://www.rsbac.org/mailman/listinfo/rsbac
> >
> >
> > _______________________________________________
> > rsbac mailing list
> > rsbac at rsbac.org
> > http://www.rsbac.org/mailman/listinfo/rsbac
> >
> 
> 
> ------------------------------
> 
> Message: 9
> Date: Tue, 16 Aug 2011 09:54:33 -0700
> From: "Gergely =?UTF-8?Q?L=C3=B3nyai?=" <aleph at mandriva.org>
> To: rsbac at rsbac.org
> Subject: [rsbac] kernel-3.0.y
> Message-ID:
>     <20110816095433.9b05b4e5e48d18b6dc565714b379f9f0.a8cd6efa9e.wbe at email10.secureserver.net>
>     
> Content-Type: text/plain; charset="utf-8"
> 
> Hi
> 
> The Mandriva 20011 is RSBAC ready now. I submit the kernel-rsbac-3.0.1
> and will maintain all the Mandriva 2011 lifetime.
> 
> 1. Install Mandriva 2011 (now Mandriva 2011 RC2)
> 2. open a konsole and run "urpmi rsbac"
> 3.
> http://www.rsbac.org/documentation/rsbac_handbook/installation/first_boot
> 
> Gergely Lonyai, Aleph
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> https://www.rsbac.org/mailman/listinfo/rsbac
> 
> End of rsbac Digest, Vol 61, Issue 1
> ************************************
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list