[rsbac] First steps into using RSBAC (non-advanced)

Palon Setin palons at danwin1210.me
Sat Dec 15 18:37:00 CET 2018 


Palon Setin:
> PART 1
...
> Now, if you want to find the line:
> 
>   | RSBAC adds 'real' access control to the kernel. [...]          |
> 
> that I pasted further above, you can. Remaining in the
> linux-4.19.9/ dir, type "make menuconfig" and browse to that
> line, as the pastes show.

PART 2

If you were curious to find the line

  | RSBAC adds 'real' access control to the kernel. [...]          |

in the kernel we just prepped for compilation, I hope you
remembered to quit at that time, and not issuing "make" itself
(the Debian flavor being "make deb-pkg"), so you can go and read
entire first-steps into RSBAC email-guide first, before going
further.

That is the smart approach. Always take care you can recover to
previous state before going for extensive, or in our case it is
more appropriate to call them substantial, changes to your
system.

I have myself first read, and twice, all the documentation on
https://www.rsbac.org/documentation as well as:
https://www.mad-hacking.net/documentation/linux/security/rsbac/
and other places.

However, your following actively of the first email and this
second email will not make any changes to your system, and it
will allow you to study this mighty security program, so you're
safe following, so far.

( You anyway can only follow at your own responsability. I write
in very good faith, but without any warranty. )

After you performed the steps in the first email, the below
should hold (or make it hold, if you return to reading here
later):

$ pwd
/home/me/linux-4.19.8/ (just it will be your name, not "me")

So if it holds, and you followed correctly the first part, you
can now follow this second part of this guide.

The source, and (probably) your Linux system, is all set up such
that it will (likely) pull your oldconfig without your doing
anything about it, but that really depends on your Linux flavor
and other things. So you stand nothing to lose if you simply go
and find your last config, likely in the /boot/ directory, and
copy it, something like this:

( "#" at start means the command is run as root, see note in
previous email, i.e. PART 1, on "$" )

The below can be done in another terminal, after "sudo -s" or
similar command to become root.

# cd /home/me

( but it can be some other
<dir-where-we-are-working-as-regular-user> )

# cp -iav /boot/config-4.19.5 linux-4.19.9/.config
# chown me:me linux-4.19.9/.config

The last line is only necessary for Debian Linuces. In Debian
the compilation is done as regular user, in this case, it's user
"me" with homedir "/home/me".

And here we start the configuration of the kernel (notice we are
regular again, but it may not be so in non-Debian):

$ pwd
/home/me/linux-4.19.8/

And now:
$ make menuconfig

Compiling the kernel is a huge topic, dependent on your
hardware, on your Linux flavor, and other matters.

And if you find yourself stuck, there are plenty of guides on
the net on kernel compilation. Best to start from your distro's
howto/tips pages on it.

Well, once you have configured your kernel, you compile it, and
install it the way is customary for your distro.

After the compilation has completed, the next step (remember,
you're still in linux-4.19.8/), for Debian family of OSes, it's:
$ make deb-pkg

( You need here to see your distro's docs for how to compile the
kernel, but it is often along the lines of simply:
$ make )

The compilation will take some time to complete.

And then, in Debian:
$ cd ..
# dpkg -i *.deb
(assuming you don't have other *.deb packages around but only
those that you just freshly compiled in that linux-4.19.8/
directory)

(  You need here to see your distro's docs for how to install
the kernel you just compiled, but it is often along the lines of:
# make install )

That will install the kernel, the libc package and the kernel-headers.

Debian specific, the packages that the compilation got me, and
which I ran "dpkg -i..." on, are:

$ ls -ltrh *.deb
-rw-r--r-- 1 me me  11M 2018-12-14 21:44
linux-headers-4.19.9-rsbac-181214_4.19.9-rsbac-181214-1_amd64.deb

-rw-r--r-- 1 me me 991K 2018-12-14 21:44
linux-libc-dev_4.19.9-rsbac-181214-1_amd64.deb

-rw-r--r-- 1 me me 9.4M 2018-12-14 21:44
linux-image-4.19.9-rsbac-181214_4.19.9-rsbac-181214-1_amd64.deb


Next is installing rsbac-admin package.

Email can't be changed once it is sent, so allow for ERRATA
later.

Sincerely,
Palon Setin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://www.rsbac.org/pipermail/rsbac/attachments/20181215/bd290858/attachment-0001.sig>

More information about the rsbac mailing list