1 |
> If you employ GRsecurity's RBAC, you can use PAX flags, like |
2 |
> "PAX_MPROTECT" on a given subject (binary). Take a look at on the example |
3 |
> policy file. |
4 |
|
5 |
Do you guys think RBAC or /etc/portage/bashrc is a better choice for |
6 |
this? Maybe RBAC is overkill if this is all I'll be using it for? |
7 |
|
8 |
- Grant |
9 |
|
10 |
|
11 |
>>>>> and create executable shell script in that dir: |
12 |
>>>>> mozilla-firefox-bin.postinst |
13 |
>>>>> ---cut--- |
14 |
>>>>> #!/bin/bash |
15 |
>>>>> ewarn "Running chpax -m /opt/firefox/firefox-bin to avoid crash on |
16 |
>>>>> flash!" |
17 |
>>>>> chpax -m /opt/firefox/firefox-bin |
18 |
>>>>> ---cut--- |
19 |
>>>>> |
20 |
>>>> |
21 |
>>>> Of course, if you compile firefox instead of using firefox-bin, then |
22 |
>>>> file |
23 |
>>>> should be named mozilla-firefox.postinst and you should use there |
24 |
>>>> paxctl |
25 |
>>>> instead of chpax. |
26 |
>>>> |
27 |
>>> A simple cron job or slightly-less-simple RBAC policy can do the trick. |
28 |
>>> There's no need to mess with portage, imho. |
29 |
>> |
30 |
>> Thanks for the suggestions everyone. I think this type of persistence |
31 |
>> should be built into portage. Maybe /etc/portage/package.nomprotect. |
32 |
>> Do you agree? Should I file a bug? |
33 |
>> |
34 |
>> - Grant |