[rsbac] script for initial RC policy to use with learning mode
Amon Ott
ao at rsbac.org
Mon Jan 11 09:40:27 CET 2016
Am 06.01.2016 um 17:36 schrieb Javier Juan Martínez Cabezón:
> For now it eliminates in reset_caps all maximum capabilities to all
> binaries to allow learning at boot, bootscriptsrc() create a new role
> and a new type to each init.d script and to each cron task, names has
> a 15 character limit (Amon I think this are too few), I have to
> truncate them.
I know this is too limited, but increasing would need a new on-disk list
version, which breaks compatibility with previous versions. I plan to
introduce new list versions for FD attributes some time this year, so we
can do it all together then and call the result Version 1.5 to indicate
that it is an upgrade.
> Amon, learning mode denies and then learns is this de desired
> behaviour?. This means that to fully learn the same thing has to be
> executed many times.
No, this is wrong. I will look into it soon. Learning mode seems to have
been slightly broken for a while.
Currently, I am working on the FD cache for inherited attribute values,
which should be much faster than before and already needs much fewer
invalidates. All this is in the 4.1 git repo and will be ported to
others, when it has been well tested.
As Kernel 4.4 has just been released, the port to this new long term
stable version is also on my to-do list.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://www.rsbac.org/pipermail/rsbac/attachments/20160111/ffb557a4/attachment.sig>
More information about the rsbac
mailing list