[rsbac] First steps into using RSBAC (non-advanced)
Palon Setin
palons at danwin1210.me
Sun Dec 16 00:30:00 CET 2018
Sorry for so many typing/pasting errors in PART 2, that I correct below!
Palon Setin:
>
>
> Palon Setin:
>> PART 1
...
>> | RSBAC adds 'real' access control to the kernel. [...] |
...
> PART 2
...
> However, your following actively of the first email and this
> second email will not make any changes to your system, and it
> will allow you to study this mighty security program, so you're
> safe following, so far.
...
ERRATA
> /home/me/linux-4.19.8/ (just it will be your name, not "me")
should read:
> /home/me/linux-4.19.9/ (just it will be your name, not "me")
...
> $ pwd
ERRATA:
> /home/me/linux-4.19.8/
should read:
> /home/me/linux-4.19.9/
...
ERRATA:
> you're still in linux-4.19.8/), for Debian family of OSes, it's:
should read
> you're still in linux-4.19.9/), for Debian family of OSes, it's:
...
ERRATA:
> those that you just freshly compiled in that linux-4.19.8/
should read:
> those that you just freshly compiled in that linux-4.19.9/
...
> Debian specific, the packages that the compilation got me, and
> which I ran "dpkg -i..." on, are:
>
> $ ls -ltrh *.deb
> -rw-r--r-- 1 me me 11M 2018-12-14 21:44
> linux-headers-4.19.9-rsbac-181214_4.19.9-rsbac-181214-1_amd64.deb
should read:
> linux-headers-4.19.9-rsbac-1_amd64.deb
>
> -rw-r--r-- 1 me me 991K 2018-12-14 21:44
> linux-libc-dev_4.19.9-rsbac-181214-1_amd64.deb
should read:
> linux-libc-dev_4.19.9-rsbac-1_amd64.deb
>
> -rw-r--r-- 1 me me 9.4M 2018-12-14 21:44
> linux-image-4.19.9-rsbac-181214_4.19.9-rsbac-181214-1_amd64.deb
should read:
> linux-image-4.19.9-rsbac-1_amd64.deb
...
> Next is installing rsbac-admin package.
PART 3
The starting tips are at: Building and installing the
administation tools
https://www.rsbac.org/documentation/rsbac_handbook/installation/installing_from_source/administration_tools
You will need the packages listed on that page.
F. e. I needed to install only dialog (and it was version
1.3-20181022), and, but that I found only later, having had this
error:
/bin/sh: 1: libtool: not found
make[1]: *** [Makefile:83: librsbac.la] Error 127
make: *** [Makefile:73: libs] Error 2
(and) libtool-bin (2.4.6-6, which goes, in Debian, with the same
version of libtool-doc).
No other packages I had missing, but I have some experience in
compiling different packages and had already had basic and other
development packages installed.
The source of rsbac-admin is well organized, and user-friendly.
Uncompressing and chdir-ing into:
$ rsbac-admin-1.5.3-201808141046
is most helpful, as it does not do what the INSTALL currently
says (and I'm trying to report a very minor bug in documentation
of that package which this is): "Simply typing make will only
build the package."
Instead, "Typing make will show you building options and tools
list" as reads in the link given at top of this email.
The way that worked for me to get all the tools compiled (and
later installed) right, was:
(of course, but the careful reader likely guessed it already:
$ make
just four chars, the first command)
then:
$ make PREFIX=/usr LIBDIR=/lib build
and then:
# make PREFIX=/usr LIBDIR=/lib install
There is an issue that I had with it though, and if you care to
control what installs into your system, you will have an issue
to solve too! So don't just go ahead right away. The defaults,
the install into /usr/local/ might suit your needs better.
The issue is, the way above in which I did it, compells you to take
some notice somewhere safe of exactly what files the "make
install" with the PREFIX=usr and the LIBDIR=/lib installs in
your system! There is no package manager that can do it for you,
you likely have to do it manually.
The way I will keep notice of what it installs is I will keep
the logs of the "make build" and esp. the "make install" (with
those options), for as long as those files will be in my system.
Why? Because I have the log there of what it installed.
It's lengthy, but this is what the above "make ... install"
should get you, the entire log is right here below, between
boundaries made of "=~=~=~".
( and of course I got that log with the command:
# make PREFIX=/usr LIBDIR=/lib install > that-log )
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
Installing RSBAC headers...
-------------------------------------
INTO (/usr)
DIR //usr/include/rsbac
INSTALL rsbac/res_getname.h
INSTALL rsbac/request_groups.h
INSTALL rsbac/um_types.h
INSTALL rsbac/helpers.h
INSTALL rsbac/pax_getname.h
INSTALL rsbac/syscalls.h
INSTALL rsbac/aci_data_structures.h
INSTALL rsbac/jail_getname.h
INSTALL rsbac/gen_lists.h
INSTALL rsbac/um.h
INSTALL rsbac/net_getname.h
INSTALL rsbac/auth_data_structures.h
INSTALL rsbac/pax.h
INSTALL rsbac/types.h
INSTALL rsbac/network_types.h
INSTALL rsbac/debug.h
INSTALL rsbac/cap_getname.h
INSTALL rsbac/rc_data_structures.h
INSTALL rsbac/udf.h
INSTALL rsbac/network.h
INSTALL rsbac/syscall_rsbac.h
INSTALL rsbac/reg.h
INSTALL rsbac/repl_lists.h
INSTALL rsbac/rc_getname.h
INSTALL rsbac/repl_types.h
INSTALL rsbac/acl_getname.h
INSTALL rsbac/fs.h
INSTALL rsbac/getname.h
INSTALL rsbac/rc_types.h
INSTALL rsbac/reg_main.h
INSTALL rsbac/acl_types.h
INSTALL rsbac/error.h
Building RSBAC Libraries...
-------------------------------------
Installing RSBAC libraries...
-------------------------------------
INTO (/usr)
DIR /lib
INSTALL librsbac.la
libtool: warning: remember to run 'libtool --finish /lib'
LIBTOOL librsbac.la
Building RSBAC PAM...
-------------------------------------
Installing RSBAC PAM...
-------------------------------------
INTO
DIR /lib/security
INSTALL pam_rsbac_oldpw.so pam_rsbac.so
DIR /usr/share/locale
INSTALL de fr
Building rklogd and rklogd-viewer...
-------------------------------------
Installing rklogd and rklogd-viewer...
-------------------------------------
INTO (/usr)
DIR /usr/sbin /usr/bin /usr/share/man/man8
INSTALL rklogd
INSTALL rklogd-viewer
GZIP man/rklogd.rus.8
GZIP man/rklogd.8
INSTALL man/rklogd.rus.8.gz
INSTALL man/rklogd.8.gz
Building RSBAC tools...
-------------------------------------
Installing RSBAC tools...
-------------------------------------
INTO (/usr)
DIR /usr/bin /usr/share/man/man1
/usr/share/doc/rsbac-tools-1.5.3 /bin
DIR /usr/share/locale
INSTALL de ru fr
INSTALL src/rsbac_login
INSTALL src/rsbac_version
INSTALL src/acl_grant
INSTALL src/acl_group
INSTALL src/acl_mask
INSTALL src/acl_rights
INSTALL src/acl_rm_user
INSTALL src/acl_tlist
INSTALL src/attr_back_dev
INSTALL src/attr_back_fd
INSTALL src/attr_back_user
INSTALL src/attr_back_group
INSTALL src/attr_back_net
INSTALL src/attr_get_fd
INSTALL src/attr_get_file_dir
INSTALL src/attr_get_ipc
INSTALL src/attr_get_process
INSTALL src/attr_get_up
INSTALL src/attr_get_net
INSTALL src/attr_get_user
INSTALL src/attr_get_group
INSTALL src/attr_rm_fd
INSTALL src/attr_rm_file_dir
INSTALL src/attr_rm_user
INSTALL src/attr_rm_group
INSTALL src/attr_set_fd
INSTALL src/attr_set_file_dir
INSTALL src/attr_set_ipc
INSTALL src/attr_set_process
INSTALL src/attr_set_up
INSTALL src/attr_set_net
INSTALL src/attr_set_user
INSTALL src/attr_set_group
INSTALL src/auth_back_cap
INSTALL src/auth_set_cap
INSTALL src/get_attribute_name
INSTALL src/get_attribute_nr
INSTALL src/mac_wrap
INSTALL src/mac_get_levels
INSTALL src/mac_set_trusted
INSTALL src/mac_back_trusted
INSTALL src/daz_flush
INSTALL src/rsbac_udf_flush
INSTALL src/rc_copy_role
INSTALL src/rc_copy_type
INSTALL src/rc_get_eff_rights_fd
INSTALL src/rc_get_item
INSTALL src/rc_role_wrap
INSTALL src/rc_set_item
INSTALL src/rc_get_current_role
INSTALL src/rc_create_file
INSTALL src/rsbac_check
INSTALL src/rsbac_stats
INSTALL src/rsbac_write
INSTALL src/switch_adf_log
INSTALL src/switch_module
INSTALL src/net_temp
INSTALL src/linux2acl
INSTALL src/rsbac_jail
INSTALL src/rsbac_init
INSTALL src/rsbac_useradd
INSTALL src/rsbac_usermod
INSTALL src/rsbac_userdel
INSTALL src/rsbac_usershow
INSTALL src/rsbac_groupadd
INSTALL src/rsbac_groupmod
INSTALL src/rsbac_groupdel
INSTALL src/rsbac_groupshow
INSTALL src/rsbac_passwd
INSTALL src/rsbac_gpasswd
INSTALL src/rsbac_list_ta
INSTALL src/rsbac_auth
INSTALL src/scripts/backup_all
INSTALL src/scripts/rsbac_acl_group_menu
INSTALL src/scripts/rsbac_acl_menu
INSTALL src/scripts/rsbac_dev_menu
INSTALL src/scripts/rsbac_fd_menu
INSTALL src/scripts/rsbac_menu
INSTALL src/scripts/rsbac_process_menu
INSTALL src/scripts/rsbac_rc_role_menu
INSTALL src/scripts/rsbac_rc_type_menu
INSTALL src/scripts/rsbac_user_menu
INSTALL src/scripts/rsbac_group_menu
INSTALL src/scripts/rsbac_settings_menu
INSTALL src/scripts/rsbac_netdev_menu
INSTALL src/scripts/rsbac_nettemp_menu
INSTALL src/scripts/rsbac_nettemp_def_menu
INSTALL src/scripts/user_aci.sh
GZIP man/attr_get_fd.1
GZIP man/net_temp.1
GZIP man/acl_mask.1
GZIP man/attr_set_fd.1
GZIP man/attr_back_user.1
GZIP man/attr_rm_file_dir.1
GZIP man/attr_get_user.1
GZIP man/rsbac_check.1
GZIP man/attr_set_user.1
GZIP man/attr_rm_fd.1
GZIP man/rc_role_wrap.1
GZIP man/attr_get_up.1
GZIP man/attr_get_file_dir.1
GZIP man/switch_module.1
GZIP man/rsbac_stats.1
GZIP man/attr_rm_user.1
GZIP man/rsbac_write.1
GZIP man/linux2acl.1
GZIP man/attr_back_fd.1
GZIP man/attr_get_process.1
GZIP man/acl_rm_user.1
GZIP man/attr_set_process.1
GZIP man/switch_adf_log.1
GZIP man/rsbac_jail.1
GZIP man/rc_copy_role.1
INSTALL man/attr_get_fd.1.gz
INSTALL man/net_temp.1.gz
INSTALL man/acl_mask.1.gz
INSTALL man/attr_set_fd.1.gz
INSTALL man/attr_back_user.1.gz
INSTALL man/attr_rm_file_dir.1.gz
INSTALL man/attr_get_user.1.gz
INSTALL man/rsbac_check.1.gz
INSTALL man/attr_set_user.1.gz
INSTALL man/attr_rm_fd.1.gz
INSTALL man/rc_role_wrap.1.gz
INSTALL man/attr_get_up.1.gz
INSTALL man/attr_get_file_dir.1.gz
INSTALL man/switch_module.1.gz
INSTALL man/rsbac_stats.1.gz
INSTALL man/attr_rm_user.1.gz
INSTALL man/rsbac_write.1.gz
INSTALL man/linux2acl.1.gz
INSTALL man/attr_back_fd.1.gz
INSTALL man/attr_get_process.1.gz
INSTALL man/acl_rm_user.1.gz
INSTALL man/attr_set_process.1.gz
INSTALL man/switch_adf_log.1.gz
INSTALL man/rsbac_jail.1.gz
INSTALL man/rc_copy_role.1.gz
INSTALL AUTHORS INSTALL README COPYING Changes
INSTALL examples
Building RSBAC NSS...
-------------------------------------
Installing RSBAC NSS...
-------------------------------------
INTO (/usr)
DIR /lib
INSTALL libnss_rsbac.la
libtool: warning: relinking 'libnss_rsbac.la'
libtool: warning: remember to run 'libtool --finish /lib'
INSTALL libnss_rsbac.la
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
It took me not so little work, but these are the files that were
installed, now put in a list one per line, be they direcories
(just a few) or files, again right here below, between
boundaries made of "=~=~=~",
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
/usr/share/man/man1/acl_mask.1.gz
/usr/share/man/man1/acl_rm_user.1.gz
/usr/share/man/man1/attr_back_fd.1.gz
/usr/share/man/man1/attr_back_user.1.gz
/usr/share/man/man1/attr_get_fd.1.gz
/usr/share/man/man1/attr_get_file_dir.1.gz
/usr/share/man/man1/attr_get_process.1.gz
/usr/share/man/man1/attr_get_up.1.gz
/usr/share/man/man1/attr_get_user.1.gz
/usr/share/man/man1/attr_rm_fd.1.gz
/usr/share/man/man1/attr_rm_file_dir.1.gz
/usr/share/man/man1/attr_rm_user.1.gz
/usr/share/man/man1/attr_set_fd.1.gz
/usr/share/man/man1/attr_set_process.1.gz
/usr/share/man/man1/attr_set_user.1.gz
/usr/share/man/man1/linux2acl.1.gz
/usr/share/man/man1/net_temp.1.gz
/usr/share/man/man1/rc_copy_role.1.gz
/usr/share/man/man1/rc_role_wrap.1.gz
/usr/share/man/man1/rsbac_check.1.gz
/usr/share/man/man1/rsbac_jail.1.gz
/usr/share/man/man1/rsbac_stats.1.gz
/usr/share/man/man1/rsbac_write.1.gz
/usr/share/man/man1/switch_adf_log.1.gz
/usr/share/man/man1/switch_module.1.gz
/usr/share/man/man8/rklogd.8.gz
/usr/share/man/man8/rklogd.rus.8.gz
/lib/security
/lib/security/pam_rsbac_oldpw.so
/lib/security/pam_rsbac.so
/usr/include/rsbac
/usr/include/rsbac/request_groups.h
/usr/include/rsbac/um_types.h
/usr/include/rsbac/helpers.h
/usr/include/rsbac/pax_getname.h
/usr/include/rsbac/syscalls.h
/usr/include/rsbac/aci_data_structures.h
/usr/include/rsbac/jail_getname.h
/usr/include/rsbac/gen_lists.h
/usr/include/rsbac/um.h
/usr/include/rsbac/net_getname.h
/usr/include/rsbac/auth_data_structures.h
/usr/include/rsbac/pax.h
/usr/include/rsbac/types.h
/usr/include/rsbac/network_types.h
/usr/include/rsbac/debug.h
/usr/include/rsbac/cap_getname.h
/usr/include/rsbac/rc_data_structures.h
/usr/include/rsbac/udf.h
/usr/include/rsbac/network.h
/usr/include/rsbac/syscall_rsbac.h
/usr/include/rsbac/reg.h
/usr/include/rsbac/repl_lists.h
/usr/include/rsbac/rc_getname.h
/usr/include/rsbac/repl_types.h
/usr/include/rsbac/acl_getname.h
/usr/include/rsbac/fs.h
/usr/include/rsbac/getname.h
/usr/include/rsbac/rc_types.h
/usr/include/rsbac/reg_main.h
/usr/include/rsbac/acl_types.h
/usr/include/rsbac/error.h
/usr/include/rsbac/res_getname.h
/usr/bin/acl_grant
/usr/bin/acl_group
/usr/bin/acl_mask
/usr/bin/acl_rights
/usr/bin/acl_rm_user
/usr/bin/acl_tlist
/usr/bin/attr_back_dev
/usr/bin/attr_back_fd
/usr/bin/attr_back_user
/usr/bin/attr_back_group
/usr/bin/attr_back_net
/usr/bin/attr_get_fd
/usr/bin/attr_get_file_dir
/usr/bin/attr_get_ipc
/usr/bin/attr_get_process
/usr/bin/attr_get_up
/usr/bin/attr_get_net
/usr/bin/attr_get_user
/usr/bin/attr_get_group
/usr/bin/attr_rm_fd
/usr/bin/attr_rm_file_dir
/usr/bin/attr_rm_user
/usr/bin/attr_rm_group
/usr/bin/attr_set_fd
/usr/bin/attr_set_file_dir
/usr/bin/attr_set_ipc
/usr/bin/attr_set_process
/usr/bin/attr_set_up
/usr/bin/attr_set_net
/usr/bin/attr_set_user
/usr/bin/attr_set_group
/usr/bin/auth_back_cap
/usr/bin/auth_set_cap
/usr/bin/get_attribute_name
/usr/bin/get_attribute_nr
/usr/bin/mac_wrap
/usr/bin/mac_get_levels
/usr/bin/mac_set_trusted
/usr/bin/mac_back_trusted
/usr/bin/daz_flush
/usr/bin/rsbac_udf_flush
/usr/bin/rc_copy_role
/usr/bin/rc_copy_type
/usr/bin/rc_get_eff_rights_fd
/usr/bin/rc_get_item
/usr/bin/rc_role_wrap
/usr/bin/rc_set_item
/usr/bin/rc_get_current_role
/usr/bin/rc_create_file
/usr/bin/rsbac_check
/usr/bin/rsbac_stats
/usr/bin/rsbac_write
/usr/bin/switch_adf_log
/usr/bin/switch_module
/usr/bin/net_temp
/usr/bin/linux2acl
/usr/bin/rsbac_jail
/usr/bin/rsbac_init
/usr/bin/rsbac_useradd
/usr/bin/rsbac_usermod
/usr/bin/rsbac_userdel
/usr/bin/rsbac_usershow
/usr/bin/rsbac_groupadd
/usr/bin/rsbac_groupmod
/usr/bin/rsbac_groupdel
/usr/bin/rsbac_groupshow
/usr/bin/rsbac_passwd
/usr/bin/rsbac_gpasswd
/usr/bin/rsbac_list_ta
/usr/bin/rsbac_auth
/usr/bin/backup_all
/usr/bin/rsbac_acl_group_menu
/usr/bin/rsbac_acl_menu
/usr/bin/rsbac_dev_menu
/usr/bin/rsbac_fd_menu
/usr/bin/rsbac_menu
/usr/bin/rsbac_process_menu
/usr/bin/rsbac_rc_role_menu
/usr/bin/rsbac_rc_type_menu
/usr/bin/rsbac_user_menu
/usr/bin/rsbac_group_menu
/usr/bin/rsbac_settings_menu
/usr/bin/rsbac_netdev_menu
/usr/bin/rsbac_nettemp_menu
/usr/bin/rsbac_nettemp_def_menu
/usr/bin/user_aci.sh
/usr/sbin/rklogd
/usr/bin/rklogd-viewer
/bin/rsbac_login
/usr/bin/rsbac_version
/usr/share/locale/de/LC_MESSAGES/pam_rsbac-1.0.mo
/usr/share/locale/de/LC_MESSAGES/pam_rsbac.mo
/usr/share/locale/de/LC_MESSAGES/rsbac-tools-1.5.3.mo
/usr/share/locale/de/LC_MESSAGES/rsbac-tools.mo
/usr/share/locale/fr/LC_MESSAGES/pam_rsbac-1.0.mo
/usr/share/locale/fr/LC_MESSAGES/pam_rsbac.mo
/usr/share/locale/fr/LC_MESSAGES/rsbac-tools-1.5.3.mo
/usr/share/locale/fr/LC_MESSAGES/rsbac-tools.mo
/usr/share/locale/ru/LC_MESSAGES/rsbac-tools-1.5.3.mo
/usr/share/locale/ru/LC_MESSAGES/rsbac-tools.mo
/usr/share/doc/rsbac-tools-1.5.3
/usr/share/doc/rsbac-tools-1.5.3/README
/usr/share/doc/rsbac-tools-1.5.3/examples
/usr/share/doc/rsbac-tools-1.5.3/examples/reg
/usr/share/doc/rsbac-tools-1.5.3/examples/reg/rbac.c
/usr/share/doc/rsbac-tools-1.5.3/examples/reg/rbac_admin.c
/usr/share/doc/rsbac-tools-1.5.3/examples/reg/reg_syscall.c
/usr/share/doc/rsbac-tools-1.5.3/examples/reg/rbac.h
/usr/share/doc/rsbac-tools-1.5.3/examples/reg/Makefile
/usr/share/doc/rsbac-tools-1.5.3/examples/reg/reg_sample1.c
/usr/share/doc/rsbac-tools-1.5.3/examples/reg/reg_sample2.c
/usr/share/doc/rsbac-tools-1.5.3/examples/reg/reg_sample3.c
/usr/share/doc/rsbac-tools-1.5.3/examples/rc
/usr/share/doc/rsbac-tools-1.5.3/examples/rc/apache_nettemp.sh
/usr/share/doc/rsbac-tools-1.5.3/examples/rc/apache.sh
/usr/share/doc/rsbac-tools-1.5.3/examples/rc/auth_prot.sh
/usr/share/doc/rsbac-tools-1.5.3/examples/rc/named_nettemp.sh
/usr/share/doc/rsbac-tools-1.5.3/examples/rc/home_area.sh
/usr/share/doc/rsbac-tools-1.5.3/examples/acl
/usr/share/doc/rsbac-tools-1.5.3/examples/acl/acl_backup_all
/usr/share/doc/rsbac-tools-1.5.3/examples/acl/acl_backup_my_groups
/usr/share/doc/rsbac-tools-1.5.3/examples/acl/acl_remove_all_fd_entries_for_user.sh
/usr/share/doc/rsbac-tools-1.5.3/examples/auth
/usr/share/doc/rsbac-tools-1.5.3/examples/auth/addcap.c
/usr/share/doc/rsbac-tools-1.5.3/INSTALL
/usr/share/doc/rsbac-tools-1.5.3/COPYING
/usr/share/doc/rsbac-tools-1.5.3/AUTHORS
/usr/share/doc/rsbac-tools-1.5.3/Changes
/lib/libnss_rsbac.a
/lib/libnss_rsbac.la
/lib/libnss_rsbac.so
/lib/libnss_rsbac.so.2
/lib/libnss_rsbac.so.2.0.0
/lib/librsbac.a
/lib/librsbac.la
/lib/librsbac.so
/lib/librsbac.so.1
/lib/librsbac.so.1.0.0
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
The only right way. But now, keeping that listing, it won't take too
much work should I need to remove those files (and the few dirs), if for
some reason, I didn't anymore need this package.
I will then just need to list them and with a loop, remove them, with a
simple command like:
# for item in `cat <that-listing>`; do rm -v $item ; done
(notice the backticks around cat <that-listin>)
If anybody knows of a better, simpler way to install from source
and get the listing of all files installed, pls. do tell!... I simply
don't like files of complex and sofisticated packages that I hold
important installed in /usr/local/... even if I have to be manual
package manager myself...
Whew, this wasn't so little work, actually.
Next is installing rsbac-tools package from mercurial sources.
Email can't be changed once it is sent, so allow for ERRATA
later.
Sincerely,
Palon Setin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://www.rsbac.org/pipermail/rsbac/attachments/20181215/aee2d0ce/attachment.sig>
More information about the rsbac
mailing list