| 1 |
Oh, thanks, I was so blind looking for a way to make it works that I |
| 2 |
didn't get realize in the possibility to install an rc alternative. |
| 3 |
I have installed rsbac on my own, but I think that the problem of |
| 4 |
shell-scripts and capabilities are common to other frameworks as |
| 5 |
grsecurity or SELinux. So thanks for your help. |
| 6 |
|
| 7 |
2009/2/18 RB <aoz.syn@×××××.com>: |
| 8 |
> On Wed, Feb 18, 2009 at 02:25, Javier J. Martínez Cabezón |
| 9 |
> <tazok.id0@×××××.com> wrote: |
| 10 |
>> Hi, I think that /sbin/rc should be changed from a shell script, the |
| 11 |
>> reason is that with gentoo hardened, security policies could be done |
| 12 |
>> removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my |
| 13 |
>> setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and |
| 14 |
>> CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others |
| 15 |
>> utmp has owner as audit user. Since root has not capabilities this |
| 16 |
>> file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a |
| 17 |
>> minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's |
| 18 |
>> a bash shell-script, and granting it to mv, chmod etc is not a good |
| 19 |
>> idea as you can suppose :). Could it be done? |
| 20 |
> |
| 21 |
> Beyond the fact that rsbac-admin and rsbac-sources have been removed, |
| 22 |
> there's no reason you can't do this. In my ~ARCH hardened systems |
| 23 |
> with openrc, /sbin/rc is a binary and not a shell script. |
| 24 |
> |
| 25 |
> |
Archives