boot-problem: repeated mount 1 of device 00:00

Hi,
I've just installed Debian 3.1, compiled and installed the 'official 
classic Kernel linux-2.6.14.4-rsbac-1.2.5.1' and the admin-package 
(everything worked fine). But whin I  boot (in soft mode) the machine 
hangs with the repeated rsbac message:

rsbac_mount_*: repeated mount 1 of device 00:00

I'm using a ramdisk/initrd. Maybe that's the problem? - there was 
already a patch for a ramdisk problem, rsbac version 1.2.1. Isn't it 
included in the rsbac-1.2.5.1 sources?
Would be nice, if someone could help me with this.

Thanks in advance.
Kind regards
Jochem Ippers

Re: boot-problem: repeated mount 1 of device 00:00

On Dienstag 10 Januar 2006 20:03, Jochem Ippers wrote:
> I've just installed Debian 3.1, compiled and installed the 'official 
> classic Kernel linux-2.6.14.4-rsbac-1.2.5.1' and the admin-package 
> (everything worked fine). But whin I  boot (in soft mode) the 
machine 
> hangs with the repeated rsbac message:
> 
> rsbac_mount_*: repeated mount 1 of device 00:00
> 
> I'm using a ramdisk/initrd. Maybe that's the problem? - there was 
> already a patch for a ramdisk problem, rsbac version 1.2.1. Isn't it 
> included in the rsbac-1.2.5.1 sources?
> Would be nice, if someone could help me with this.

Did you enable "Delayed init for initial ramdisk" in RSBAC kernel 
configuration under "General RSBAC options"? It is required for 
ramdisk boots to work correctly. If you did, please tell what RSBAC 
messages you could see before this message.

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

Subject: Re: boot-problem: OK, found it...

Hi again,
I used the default compile options set for rsbac, so I didn't see the delay option for ramdisks. I just
switched it on and compile again...
Greetings from Aachen, Germany
Jochem Ippers

RSBAC Discussion and Announcements <rsbac <at> rsbac.org> schrieb am 10.01.06 20:04:32:
> 
> Hi,
> I've just installed Debian 3.1, compiled and installed the 'official 
> classic Kernel linux-2.6.14.4-rsbac-1.2.5.1' and the admin-package 
> (everything worked fine). But whin I  boot (in soft mode) the machine 
> hangs with the repeated rsbac message:
> 
> rsbac_mount_*: repeated mount 1 of device 00:00
> 
> I'm using a ramdisk/initrd. Maybe that's the problem? - there was 
> already a patch for a ramdisk problem, rsbac version 1.2.1. Isn't it 
> included in the rsbac-1.2.5.1 sources?
> Would be nice, if someone could help me with this.
> 
> Thanks in advance.
> Kind regards
> Jochem Ippers
> 
> 
> _______________________________________________
> rsbac mailing list
> rsbac <at> rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

1.2.6pre2 is out for testing

RSBAC 1.2.6pre2 is out for kernels 2.4.32 and 2.6.15
---------------------------------------------------------------------------------------

Download patches, utilities or prepatched kernels from:

http://download.rsbac.org/pre/rsbac-1.2.6pre2/

Or you favorite mirror:

http://rsbac.org/mirrors

This release is compatible with 1.2.5[.1] and 1.2.6pre1, so no changes
are required !

Changes for rsbac-admin since 1.2.5 are:

1.2.6:
	- Removed stray reg_syscall binary, fixed pam to install as 755.
	- Upgraded, cleaned, fixed debian packaging to be up to debian's
	standards.
	- Fix install-strip targets to support new separate DESTDIR correctly.
	Added information about the DESTDIR and PREFIX at install target.

Changes for the linux kernel since 1.2.5 are:

1.2.6:
	- DAZ Renaming of files from non-scanned to scanned directory
	  now works correctly (does not cache results from non scanned
	  as CLEAN - and/but keep INFECTED status if set when moving file
	  from scanned to non-scanned)

rsbac + ldap/samba

Hi,
I'm just a beginner with rsbac, so...
We have to migrate a netware 4.11 server to samba+ldap, and we would like to have something better than the
standard posix acls. Maybe this question was already answered before, but is it possible to use rsbac acls
(and other modules) with Samba usinge ldap as samba database backend in any way? Maybe if you don't use the
rsbac AUTH module? (does rsbac work with ldap over nsswitch? etc. etc. ) 
I would really like to use rsbac for this (and for other purposes), because it's just great.
Thanks in advance.
Greetings from Aachen, Germany
Jochem Ippers

Re: rsbac + ldap/samba

On Donnerstag 12 Januar 2006 14:29, jochem_ippers <at> email.de wrote:
> I'm just a beginner with rsbac, so...
> We have to migrate a netware 4.11 server to samba+ldap, and we would 
like to have something better than the standard posix acls. Maybe 
this question was already answered before, but is it possible to use 
rsbac acls (and other modules) with Samba usinge ldap as samba 
database backend in any way? Maybe if you don't use the rsbac AUTH 
module? (does rsbac work with ldap over nsswitch? etc. etc. ) 

RSBAC always uses real user ids. You can auth in whatever way you 
like, but only RSBAC User Management can guarantee that a user has 
provided a password before the setuid succeeds.

Most samba versions do not setuid, but rather seteuid. In this case, 
RSBAC can only control the complete samba as a black box. You can 
probably hack your samba sources to make it use setuid again and then 
control by user.

A samba extension for RSBAC ACLs has been planned for years now, but 
never been done. With such an extension, you could administrate your 
RSBAC ACLs e.g. from a Windows system over network. We are always 
looking for volunteers...

> I would really like to use rsbac for this (and for other purposes), 
because it's just great.

Thanks for these flowers, we all appreciate them. :)

Amon.
--

-- 

Re: rsbac + ldap/samba

Amon Ott wrote:
> RSBAC always uses real user ids. You can auth in whatever way you 
> like, but only RSBAC User Management can guarantee that a user has 
> provided a password before the setuid succeeds.
> 
> Most samba versions do not setuid, but rather seteuid. In this case,
>  RSBAC can only control the complete samba as a black box. You can 
> probably hack your samba sources to make it use setuid again and then
>  control by user.
Samba needs to jump back and forth between superuser and a regular user
account, that's why we use seteuid(). Changing that to setuid will not help.

> A samba extension for RSBAC ACLs has been planned for years now, but
>  never been done. With such an extension, you could administrate your
>  RSBAC ACLs e.g. from a Windows system over network. We are always 
> looking for volunteers...
I remember that mouse <at> altlinux.org did some work on RSBAC-based ACLs for
  Samba few years ago though that work was still unfinished.

We still have no real solution for both RSBAC and SELinux w.r.t. Samba.
--

-- 
/ Alexander Bokovoy
Samba Team                      http://www.samba.org/
ALT Linux Team                  http://www.altlinux.org/
Midgard Project Ry              http://www.midgard-project.org/

Re: rsbac + ldap/samba

On Donnerstag 12 Januar 2006 14:59, Alexander Bokovoy wrote:
> Amon Ott wrote:
> > RSBAC always uses real user ids. You can auth in whatever way you 
> > like, but only RSBAC User Management can guarantee that a user has 
> > provided a password before the setuid succeeds.
> > 
> > Most samba versions do not setuid, but rather seteuid. In this 
case,
> >  RSBAC can only control the complete samba as a black box. You can 
> > probably hack your samba sources to make it use setuid again and 
then
> >  control by user.
> Samba needs to jump back and forth between superuser and a regular 
user
> account, that's why we use seteuid(). Changing that to setuid will 
not help.

With RSBAC CAP module we could easily allow setuid no matter what uid 
samba has. Would this be an acceptable solution?

> > A samba extension for RSBAC ACLs has been planned for years now, 
but
> >  never been done. With such an extension, you could administrate 
your
> >  RSBAC ACLs e.g. from a Windows system over network. We are always 
> > looking for volunteers...
> I remember that mouse <at> altlinux.org did some work on RSBAC-based ACLs 
for
>   Samba few years ago though that work was still unfinished.
> 

Re: rsbac + ldap/samba

Amon Ott wrote:
> With RSBAC CAP module we could easily allow setuid no matter what uid
>  samba has. Would this be an acceptable solution?
May be, though this needs testing.

> Would you be willing to help, if someone tried to create such a 
> solution? We already have ang-st creating RSBAC modules for apache, 
> he might be interested.
That is of a particular interest for me, yes.

> 
> AFAIU, the RSBAC ACL module provides a superset of Windows Network 
> ACLs (if not, we can extend it), so it should be possible to have 
> full Windows managed ACLs on Samba with it.
That might be an interesting thing to do on Samba 4 code which allows
much easier replacement of modules (including ACLs).

--

-- 
/ Alexander Bokovoy
Samba Team                      http://www.samba.org/
ALT Linux Team                  http://www.altlinux.org/
Midgard Project Ry              http://www.midgard-project.org/

Re: rsbac + ldap/samba

> > We still have no real solution for both RSBAC and SELinux w.r.t. 
> Samba.
> 
> Would you be willing to help, if someone tried to create such a 
> solution? We already have ang-st creating RSBAC modules for apache, 
> he might be interested.
> 
> AFAIU, the RSBAC ACL module provides a superset of Windows Network 
> ACLs (if not, we can extend it), so it should be possible to have 
> full Windows managed ACLs on Samba with it.

So, as far as i understand it: apart from the missing setuid check of the (turned off?) AUTH module everyhing
else should work by using ldap as authentication mechanism?  It's no problem for us if the users can't set
any rights on their windows clients, only WE set them  and working rsbac ACLs on the unix filesystem
layer would be perfect for a samba server/netware substitute, much better than working with
'setr-/getacl'. And there would still be a lot of possibilities with the other rsbac modules. So the whole
system would be much better than a standard Samba+ldap+posix-ACLs combination...
Thanks for the fast answers.
Greetings
Jochem

> 
> Amon.
> -- 
> http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
> _______________________________________________
> rsbac mailing list
> rsbac <at> rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac