3 May 2007 14:33
3 May 2007 15:15
3 May 2007 16:20
Re: Kconfig bug in pre 1.3.3 patch
tazok <tazok.id0 <at> gmail.com>
2007-05-03 14:20:01 GMT
2007-05-03 14:20:01 GMT
Did you apply the PaX patch? 2007/5/3, Tomasz Kłoczko <kloczek <at> zie.pg.gda.pl>: > > > $ make ARCH=x86_64 nonint_oldconfig > rsbac/Kconfig:1093:warning: 'select' used by config symbol 'RSBAC_PAX' > refer to undefined symbol 'PAX' > > > _______________________________________________ > rsbac mailing list > rsbac <at> rsbac.org > http://www.rsbac.org/mailman/listinfo/rsbac >
3 May 2007 16:29
Re: RSBAC kernel configurations menu question
tazok <tazok.id0 <at> gmail.com>
2007-05-03 14:29:31 GMT
2007-05-03 14:29:31 GMT
If I remember correctly the Security menu was related with the Linux Security Framework (LSM) which rsbac is not based in (in the rsbac and the grsecurity homepage there is one article about why rsbac/grsecurity does not use the LSM framework). Probably the reason was this but I'm not sure... 2007/5/3, Tomasz Kłoczko <kloczek <at> zie.pg.gda.pl>: > > > Is it not will be better put kernel menu entry "Rule Set Based Access > Control (RSBAC)" in "Security options" submenu istead in main ? > > kloczek > > _______________________________________________ > rsbac mailing list > rsbac <at> rsbac.org > http://www.rsbac.org/mailman/listinfo/rsbac >
3 May 2007 15:53
Re: RSBAC kernel configurations menu question
Tomasz Kłoczko <kloczek <at> zie.pg.gda.pl>
2007-05-03 13:53:42 GMT
2007-05-03 13:53:42 GMT
Dnia 03-05-2007, Cz o godzinie 16:29 +0200, tazok napisał(a): > If I remember correctly the Security menu was related with the Linux > Security Framework (LSM) which rsbac is not based in (in the rsbac and > the grsecurity homepage there is one article about why > rsbac/grsecurity does not use the LSM framework). Probably the reason > was this but I'm not sure... In "Security options" submenu beside "Enable different security models" entry exist "Enable access key retention support" which isn't LSM switch but it is strict kernel security related. RSBAC it is part of kernel security infrastructure and IMO logical will be putt group of all RSBAC switches on the same level as two above. kloczek _______________________________________________ rsbac mailing list rsbac <at> rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
3 May 2007 16:05
Re: Kconfig bug in pre 1.3.3 patch
Tomasz Kłoczko <kloczek <at> zie.pg.gda.pl>
2007-05-03 14:05:23 GMT
2007-05-03 14:05:23 GMT
Dnia 03-05-2007, Cz o godzinie 16:20 +0200, tazok napisał(a): > Did you apply the PaX patch? All RSBAC modyfications I'm get from linux-2.6.21.1-rsbac-1.3.3.tar.bz2 tar ball. After unpacking this tar I'm generate diff between this tree and vanilla. After this I'm put this patch in Fedora kernel.spec. After commenting few Fedora patches which rejects (utrace and few other) I'm start prepare .config files for new rpm packeges. First step for produce updated *.config files is run nonint_oldconfig target (which isn't vanilla kernel tree target) which validates all Kconfig entries. So .. if linux-2.6.21.1-rsbac-1.3.3.tar.bz2 have intergrated PAX patches answer is: yes :) BTW PAX: any theoretical chance use PaX and prelink ? kloczek _______________________________________________ rsbac mailing list rsbac <at> rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
3 May 2007 17:45
Re: RSBAC kernel configurations menu question
tazok <tazok.id0 <at> gmail.com>
2007-05-03 15:45:43 GMT
2007-05-03 15:45:43 GMT
Well, I think that the "access key retention support" uses the LSM framework, if not... there is some reason to include the security.h header file in parts of their code?(please explanation required). I think that rsbac is not only a part of the kernel security infrastructure, since it modify (AFAIK) too many kernel code and is too complex. Probably the "model" that I think is not an LSM and appears in this submenu is PaX, so I doubt now in the real reason... 2007/5/3, Tomasz Kłoczko <kloczek <at> zie.pg.gda.pl>: > > Dnia 03-05-2007, Cz o godzinie 16:29 +0200, tazok napisał(a): > > In "Security options" submenu beside "Enable different security models" > entry exist "Enable access key retention support" which isn't LSM switch > but it is strict kernel security related. RSBAC it is part of kernel > security infrastructure and IMO logical will be putt group of all RSBAC > switches on the same level as two above. > > kloczek > > _______________________________________________ > rsbac mailing list > rsbac <at> rsbac.org > http://www.rsbac.org/mailman/listinfo/rsbac
3 May 2007 17:53
Re: Kconfig bug in pre 1.3.3 patch
tazok <tazok.id0 <at> gmail.com>
2007-05-03 15:53:30 GMT
2007-05-03 15:53:30 GMT
Please, one think is that rsbac had hooks for work with PaX and other very different is that rsbac had PaX. If you downloaded the tarball from rsbac homepage the lonely tarballs that come with rsbac are the enhanced kernels that you could found in rsbac (and had a pax-test as part of their name). Please download one PaX patch for your kernel from PaX homepage and try it... 2007/5/3, Tomasz Kłoczko <kloczek <at> zie.pg.gda.pl>: > > Dnia 03-05-2007, Cz o godzinie 16:20 +0200, tazok napisał(a): > > Did you apply the PaX patch? > > All RSBAC modyfications I'm get from linux-2.6.21.1-rsbac-1.3.3.tar.bz2 > tar ball. After unpacking this tar I'm generate diff between this tree > and vanilla. After this I'm put this patch in Fedora kernel.spec. After > commenting few Fedora patches which rejects (utrace and few other) I'm > start prepare .config files for new rpm packeges. First step for produce > updated *.config files is run nonint_oldconfig target (which isn't > vanilla kernel tree target) which validates all Kconfig entries. > So .. if linux-2.6.21.1-rsbac-1.3.3.tar.bz2 have intergrated PAX patches > answer is: yes :) > > BTW PAX: any theoretical chance use PaX and prelink ? > > kloczek > > _______________________________________________ > rsbac mailing list > rsbac <at> rsbac.org > http://www.rsbac.org/mailman/listinfo/rsbac(Continue reading)
3 May 2007 18:02
Re: Kconfig bug in pre 1.3.3 patch
tazok <tazok.id0 <at> gmail.com>
2007-05-03 16:02:52 GMT
2007-05-03 16:02:52 GMT
Nice, where you see: the lonely tarballs that come with rsbac, change with: the lonely tarballs that come with PaX. One mistake... 2007/5/3, tazok <tazok.id0 <at> gmail.com>: > > Please, one think is that rsbac had hooks for work with PaX and other very > different is that rsbac had PaX. If you downloaded the tarball from rsbac > homepage the lonely tarballs that come with rsbac are the enhanced kernels > that you could found in rsbac (and had a pax-test as part of their name). > Please download one PaX patch for your kernel from PaX homepage and try > it... > >
3 May 2007 18:13
Re: Kconfig bug in pre 1.3.3 patch
Michal Purzynski <michal <at> rsbac.org>
2007-05-03 16:13:31 GMT
2007-05-03 16:13:31 GMT
On May 3, 2007, at 2:33 PM, Tomasz Kłoczko wrote: > > $ make ARCH=x86_64 nonint_oldconfig > rsbac/Kconfig:1093:warning: 'select' used by config symbol 'RSBAC_PAX' > refer to undefined symbol 'PAX' > > that's not really a bug, that's a feature :) vanilla rsbac kernel does not have PAX included, hence the harmless warning (from rsbac pax module btw).
RSS Feed