1 |
Oh, thanks, I was so blind looking for a way to make it works that I |
2 |
didn't get realize in the possibility to install an rc alternative. |
3 |
I have installed rsbac on my own, but I think that the problem of |
4 |
shell-scripts and capabilities are common to other frameworks as |
5 |
grsecurity or SELinux. So thanks for your help. |
6 |
|
7 |
2009/2/18 RB <aoz.syn@×××××.com>: |
8 |
> On Wed, Feb 18, 2009 at 02:25, Javier J. Martínez Cabezón |
9 |
> <tazok.id0@×××××.com> wrote: |
10 |
>> Hi, I think that /sbin/rc should be changed from a shell script, the |
11 |
>> reason is that with gentoo hardened, security policies could be done |
12 |
>> removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my |
13 |
>> setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and |
14 |
>> CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others |
15 |
>> utmp has owner as audit user. Since root has not capabilities this |
16 |
>> file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a |
17 |
>> minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's |
18 |
>> a bash shell-script, and granting it to mv, chmod etc is not a good |
19 |
>> idea as you can suppose :). Could it be done? |
20 |
> |
21 |
> Beyond the fact that rsbac-admin and rsbac-sources have been removed, |
22 |
> there's no reason you can't do this. In my ~ARCH hardened systems |
23 |
> with openrc, /sbin/rc is a binary and not a shell script. |
24 |
> |
25 |
> |