[ubuntu-hardened] Fixed some bugs in the postinst and postrm
scripts of vSecurity packages, merged amd64 changes
Lorenzo Hernández García-Hierro
lorenzo at gnu.org
Sun Oct 16 13:43:31 CDT 2005
On dom, 2005-10-16 at 20:06 +0200, Herman Bos wrote:
> I'm not totally into it but if I may ask what are the consequences of
> disabling the capabilities module? It sounds pretty bad.
We are just disabling it of using a slot within the LSM framework, not
removing capabilities support at all. We just end up using the hook
(capable()) within vSecurity instead of the one inside 'capability' LKM,
getting a free slot for our module and hence being able to load it.
> Its there but after boot:
> [4294687.225000] VSEC: Failure registering vSecurity module with the kernel
> [4294687.225000] VSEC: Failure registering vSecurity module with primary
> security module.
Looks like it's ignoring it. modprobe.conf needs to be updated in the
Debian-way, but I forgot how's done that right now. Andrew, Martin?
The problem is that vsecurity.modprobe content isn't dumped
to /etc/modprobe.conf.
> [4294984.068000] Capabilities disabled at initialization
> [4294985.575000] VSEC: Registering vsecfs subsystem (sysfs).
> [4294985.575000] VSEC: Access Control List of allsocket, type uid created.
> [4294985.575000] VSEC: Access Control List of allsocket, type gid created.
> [4294985.575000] VSEC: Access Control List of server_socket, type uid
> created.
> [4294985.575000] VSEC: Access Control List of server_socket, type gid
> created.
> [4294985.575000] VSEC: Access Control List of client_socket, type uid
> created.
> [4294985.575000] VSEC: Access Control List of client_socket, type gid
> created.
> [4294985.575000] VSEC: Access Control List of tpe, type uid created.
> [4294985.575000] VSEC: Access Control List of tpe, type gid created.
> [4294985.575000] VSEC: vSecurity engine initialized.
>
> This works it seems.
Right :)
> Whats next? Whats in effect now? Is TPE working? Is there a group on
> which it applies or one on which it does not? (that is how it works in
> grsecurity).
It should be OK that way. Check module parameters with 'modinfo' and
you'll see what can be configured. I apologize of the lack of
documentation. That needs love.
> For extra information, i installed your k7 ubuntu package (I have an k7
> kernel running).
>
> I don't mind helping a bit with the documentation on the wiki, but there
> is not much to start with. :)
You're right. I'll be adding a skeleton to this page:
http://wiki.tuxedo-es.org/VSecurityDocumentation
For preventing spam, I've set restrictions, so, you must register an
account for editing pages. It seems that many people is interested in
contributing with the documentation, so, I hope this will get solved
soon ;).
Cheers,
--
Lorenzo Hernández García-Hierro <lorenzo at gnu.org>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20051016/6e09fb54/attachment.pgp
More information about the ubuntu-hardened
mailing list