[rsbac] About this part of Jens Documentation
Javier Juan Martínez Cabezón
tazok.id0 at gmail.com
Tue Feb 17 22:12:15 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have chosen this approach, welcome suggestions.
emerge has it's own forced_role, and it's caps as minimum.
emerge binaries has its own fd_type
When I need to make an upgrade I grant it with ttl as bofh (my secoff)
without commit to root, granting R, MAP_EXEC and EXECUTE to emerge_t
Something like this
rc_set_item -t 15 ROLE $root_role" type_comp_fd "emerge_bin_t" R
EXECUTE MAP_EXEC
Since is a python script, privileges are marked as absolute.
No need to fakeroot and you can take all RC learning mode capability
since you use a new role to emerge.
Comments are appreciated
On 15/02/15 20:57, Jens Kasten wrote:
> Am Sun, 15 Feb 2015 18:41:39 +0100 schrieb Javier Juan Martínez
> Cabezón <tazok en rsbac.org>:
>
> Hi Javier,
>
> You have to enable in kernel config fake root in section RSBAC.
>
> You can use rsbac_menu /path/to/bin and choose fake root uid or
> attr_set_file_dir FILE /path/to/bin fake_root_uid [0-3]
>
> Yes set it to emerge but fake_root_uid is not for expand permisson
> for an user its just make possible to fool programs if they do a
> check like is user_id == 0.
>
> The permission is set for example: attr_set_user updater min_caps
> CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID MKNOD
> NET_BIND_SERVICE
>
>
> Depend on setup maybe have to change some roles too.
>
> Grüße
>
> Jens
>
>
>
>
>
> Hi Jens, it's related with this part of your docs.
>
> Did you need to set fakeroot in some place? How did you do it? That
> is, did you set fakeroot to emerge binary or how did you deal with
> owner permissions of new packages installed?
>
> http://www.rsbac.org/wiki/experiences/igraltist/admins#add_updater_user
>
>
>
>
>> _______________________________________________ rsbac mailing
>> list rsbac en rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
>
> _______________________________________________ rsbac mailing list
> rsbac en rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJU466rAAoJEFfmTgt/w77fhMEP/i07YHYhlzCZySd/mjVHKu6B
jYme8HchWvEo8xCEpeaBCeRTYDtUCJGEvhsId8cjRD+4rbmCpyjFOQNp3mHNb2Ph
sYBdQdIntRBfu6zzUBK+Wvh+Sdp8wcuTj0EBvjXnZ5DZSKJnrqb1SsmRzMznUyDv
ZYLAQIV5JZu+r4oyWFzKy8hufnUcqlN/VUTb2UppuYqHmGa6KpZbl68NvYsIqhnA
0CCfR0czztPAi4lTRB4E0dLYHV4pATCuAcl8A0GvZiRe8YB+o+QllAGzz8MR7fPI
xmpW2QTra0P0ed/aQV5c0oxdSOpecYsMIRP7+g15l2fXrJAc2KAHHpbZNeyIYOZU
XJOwft4kJSaDrYK9HEe6C+yWZ43wcKHnuyAyRH5/aDINjm08F3lbtv+tjZrhBkBO
2qtQ2wSqS9xj3bFny2YTPnDU+ef/r9eefdwsiSKdfy/3zvkjcYN38BuTP0WMlXvh
z9uK1ogvVuFZeeXz/GwV/lVtmXxpz/MNXsp+V54lF5a14srkKR9difLqs8giPrl3
0LtDkMTeGM1onhxGTLIq95HT3MYuO8t4ddJKmvddf4By1K+mah8dpI46gSOVJfte
CdbwoxJBk3iGKhPayAjKB5xc+qORMTm8ICiHQ1nzb/CqcIJP8TQtbMK0NRoLz9xi
rteg+qQ6Tn/6sPSN/O5f
=plLL
-----END PGP SIGNATURE-----
More information about the rsbac
mailing list