1 |
On Vas, Április 12, 2009 02:03, Grant wrote: |
2 |
>> If you employ GRsecurity's RBAC, you can use PAX flags, like |
3 |
>> "PAX_MPROTECT" on a given subject (binary). Take a look at on the |
4 |
>> example |
5 |
>> policy file. |
6 |
> |
7 |
> Do you guys think RBAC or /etc/portage/bashrc is a better choice for |
8 |
> this? Maybe RBAC is overkill if this is all I'll be using it for? |
9 |
> |
10 |
|
11 |
It takes time to refine a policy and it needs some tuning from time to |
12 |
time. If you haven't utilized any RBAC (Grsecurity, RSBAC) on your system |
13 |
yet, it's high time to give it a try. |
14 |
So I should say, that bashrc is not the best choice from the security |
15 |
point of view, but in the mean time it's not an overkill either... |
16 |
|
17 |
Regards: |
18 |
Dw. |
19 |
|
20 |
> |
21 |
>>>>>> and create executable shell script in that dir: |
22 |
>>>>>> mozilla-firefox-bin.postinst |
23 |
>>>>>> ---cut--- |
24 |
>>>>>> #!/bin/bash |
25 |
>>>>>> ewarn "Running chpax -m /opt/firefox/firefox-bin to avoid crash on |
26 |
>>>>>> flash!" |
27 |
>>>>>> chpax -m /opt/firefox/firefox-bin |
28 |
>>>>>> ---cut--- |
29 |
>>>>>> |
30 |
>>>>> |
31 |
>>>>> Of course, if you compile firefox instead of using firefox-bin, then |
32 |
>>>>> file |
33 |
>>>>> should be named mozilla-firefox.postinst and you should use there |
34 |
>>>>> paxctl |
35 |
>>>>> instead of chpax. |
36 |
>>>>> |
37 |
>>>> A simple cron job or slightly-less-simple RBAC policy can do the |
38 |
>>>> trick. |
39 |
>>>> There's no need to mess with portage, imho. |
40 |
>>> |
41 |
>>> Thanks for the suggestions everyone. I think this type of persistence |
42 |
>>> should be built into portage. Maybe /etc/portage/package.nomprotect. |
43 |
>>> Do you agree? Should I file a bug? |
44 |
>>> |
45 |
>>> - Grant |
46 |
> |