headers
Jens Kasten | 2 Jul 2008 18:29
Picon

jail

hi list,

i have build and test a run-jail for rsbac_jail.
i use the old adamantix-jail-configs for setup the jail than.
here you can download it. 
http://kasten-edv.de/download/rsbac/etc_rsbac_jail.tar.bz2
for this services exists a config 
http://kasten-edv.de/download/rsbac/etc_rsbac_jail/

when download it must to move the configfiles to
/etc/rsbac/jail

here is the configparser
http://svn.kasten-edv.de/svn/rsbac/trunk/lib/jail_configparser.py
and the script
http://svn.kasten-edv.de/svn/rsbac/trunk/bin/run-jail.py

the run-jail.py has this
# path to add where the file jail_configparser.py is
sys.path.append('/security/rsbac-manager/lib')
from jail_configparser import JailParser 

i did softlinking the run-jail.py to /bin/run-jail so the initscritp use only run-jail.

you have to sys.path.append to correct so the jail_configparser.py can be found.

than also the jail_flags should more complet.
this is in the moment only tested that apache2 will work.

self.jail_flags = {
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jens Kasten | 20 Jul 2008 03:43

nfs

hi list,

i have a fileserver wich offer me for the gentoo systems the portage
directory.

on the fileserver i get:
<6>0000002285|rsbac_adf_request(): request READ, pid 3136, ppid 2,
prog_name nfsd, uid 0, target_type DIR, tid Device 254:32 Inode 49582
Path /srv/portage/rsbac.dat, attr none, value none, result NOT_GRANTED
by ADF

and on my client i get: 
>>> Updating Portage cache:      Traceback (most recent call last):
  File "/usr/bin/emerge", line 6971, in ?
    retval = emerge_main()
  File "/usr/bin/emerge", line 6928, in emerge_main
    action_metadata(settings, portdb, myopts)
  File "/usr/bin/emerge", line 5501, in action_metadata
    noise_maker = source = percentage_noise_maker(portdb)
  File "/usr/bin/emerge", line 5464, in __init__
    self.cp_all = dbapi.cp_all()
  File "/usr/lib/portage/pym/portage.py", line 7272, in cp_all
    for y in listdir(oroot+"/"+x, EmptyOnError=1, ignorecvs=1,
dirsonly=1):
  File "/usr/lib/portage/pym/portage.py", line 290, in listdir
    list, ftype = cacheddir(mypath, ignorecvs, ignorelist, EmptyOnError,
followSymlinks)
  File "/usr/lib/portage/pym/portage.py", line 226, in cacheddir
    list = os.listdir(mypath)
OSError: [Errno 5] Input/output error: '/usr/NFS-Dir/rsbac.dat'
(Continue reading)

Permalink | Reply | 7 comments |
headers
Michał Purzyński | 20 Jul 2008 15:55

Re: nfs

That's the bug in the portage than. Nothing is suposed to get read  
operation on rsbac.dat granted. Please enable filesystem objects  
hiding and write if it helps. With that option enabled if a role does  
not have search right on the target (and nothing has on rsbac.dat dir)  
it won't see it in the dir listing.

On Jul 20, 2008, at 3:43, Jens Kasten <igraltist <at> rsbac.org> wrote:

> hi list,
>
> i have a fileserver wich offer me for the gentoo systems the portage
> directory.
>
> on the fileserver i get:
> <6>0000002285|rsbac_adf_request(): request READ, pid 3136, ppid 2,
> prog_name nfsd, uid 0, target_type DIR, tid Device 254:32 Inode 49582
> Path /srv/portage/rsbac.dat, attr none, value none, result NOT_GRANTED
> by ADF
>
> and on my client i get:
>>>> Updating Portage cache:      Traceback (most recent call last):
>  File "/usr/bin/emerge", line 6971, in ?
>    retval = emerge_main()
>  File "/usr/bin/emerge", line 6928, in emerge_main
>    action_metadata(settings, portdb, myopts)
>  File "/usr/bin/emerge", line 5501, in action_metadata
>    noise_maker = source = percentage_noise_maker(portdb)
>  File "/usr/bin/emerge", line 5464, in __init__
>    self.cp_all = dbapi.cp_all()
>  File "/usr/lib/portage/pym/portage.py", line 7272, in cp_all
(Continue reading)

Permalink | Reply | 6 comments |
headers
Jens Kasten | 20 Jul 2008 19:32
Picon

Re: nfs

I did enabled hide filesystem but
on the fileserver itself its not list /rsbac.dat anymore, but
in the client there appears it. so over nfs ist lose the optione hiding
filesystem objects.

Am Sonntag, den 20.07.2008, 15:55 +0200 schrieb Michał Purzyński:
> That's the bug in the portage than. Nothing is suposed to get read  
> operation on rsbac.dat granted. Please enable filesystem objects  
> hiding and write if it helps. With that option enabled if a role does  
> not have search right on the target (and nothing has on rsbac.dat dir)  
> it won't see it in the dir listing.
> 
> On Jul 20, 2008, at 3:43, Jens Kasten <igraltist <at> rsbac.org> wrote:
> 
> > hi list,
> >
> > i have a fileserver wich offer me for the gentoo systems the portage
> > directory.
> >
> > on the fileserver i get:
> > <6>0000002285|rsbac_adf_request(): request READ, pid 3136, ppid 2,
> > prog_name nfsd, uid 0, target_type DIR, tid Device 254:32 Inode 49582
> > Path /srv/portage/rsbac.dat, attr none, value none, result NOT_GRANTED
> > by ADF
> >
> > and on my client i get:
> >>>> Updating Portage cache:      Traceback (most recent call last):
> >  File "/usr/bin/emerge", line 6971, in ?
> >    retval = emerge_main()
> >  File "/usr/bin/emerge", line 6928, in emerge_main
(Continue reading)

Permalink | Reply | 4 comments |
headers
Amon Ott | 21 Jul 2008 15:22

Re: nfs

Am Sonntag, 20. Juli 2008 19:32 schrieb Jens Kasten:
> I did enabled hide filesystem but
> on the fileserver itself its not list /rsbac.dat anymore, but
> in the client there appears it. so over nfs ist lose the optione hiding
> filesystem objects.

There is an RSBAC kernel config option to allow READ of rsbac.dat, cannot 
remember exact name. Should be in Other Options.

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
Permalink | Reply | 3 comments |
headers
Javier Martínez | 21 Jul 2008 18:17
Picon

Re: nfs

Enable READ to rsbac internal data to nothing less that a server¿?
Is that a good idea¿?
There is any case in that it would be useful¿?, and if so,  why is
useful and in particular in this case?¿
I missed something¿?
2008/7/21, Amon Ott <ao <at> rsbac.org>:
> Am Sonntag, 20. Juli 2008 19:32 schrieb Jens Kasten:
>
> > I did enabled hide filesystem but
>  > on the fileserver itself its not list /rsbac.dat anymore, but
>  > in the client there appears it. so over nfs ist lose the optione hiding
>  > filesystem objects.
>
>
> There is an RSBAC kernel config option to allow READ of rsbac.dat, cannot
>  remember exact name. Should be in Other Options.
>
>  Amon.
>
> --
>  http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
>
> _______________________________________________
>  rsbac mailing list
>  rsbac <at> rsbac.org
>  http://www.rsbac.org/mailman/listinfo/rsbac
>
Permalink | Reply | 1 comment |
headers
Amon Ott | 21 Jul 2008 20:41

Re: nfs

On Monday 21 July 2008 18:17, Javier Martínez wrote:
> Enable READ to rsbac internal data to nothing less that a server¿?
> Is that a good idea¿?

This is only READ, not READ_OPEN. So you can read the dir, but no 
files. Some programs just refuse to run, if they cannot read some 
dir, e.g. quotacheck.

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
Permalink | Reply | 0 comments |
headers
Jens Kasten | 22 Jul 2008 02:39
Picon

Re: nfs

now i did enable the option 
 CONFIG_RSBAC_DAT_VISIBLE
but it not works.
this 
>>> Updating Portage cache:      Permission denied:
'/usr/NFS-Dir/rsbac.dat'
is the result.
i have the same directory in the samba configuration and there i dont
have on the clientside  the rsbac.dat.
now of course with thisoption enabled i see it again.
it was one try befor.

Am Montag, den 21.07.2008, 15:22 +0200 schrieb Amon Ott:
> Am Sonntag, 20. Juli 2008 19:32 schrieb Jens Kasten:
> > I did enabled hide filesystem but
> > on the fileserver itself its not list /rsbac.dat anymore, but
> > in the client there appears it. so over nfs ist lose the optione hiding
> > filesystem objects.
> 
> There is an RSBAC kernel config option to allow READ of rsbac.dat, cannot 
> remember exact name. Should be in Other Options.
> 
> Amon.
Permalink | Reply | 0 comments |
headers
outp0st | 30 Jul 2008 09:40
Picon
Favicon

Can't compile rsbad-admin tools...

Hi,

I'm trying to set rsbac server based on gentoo hardened rsbac-sources 
(linux-2.6.23-rsbac-r1).  The problem is when trying to compile 
rsbad-admin, I always end up with the same error.
I tried acdifferent rsbac-source(linux-2.6.21-rsbac-r1) as well as 
compile other versions of rsbac-admin (emerging from portage or manually 
from source) - always with the same result.

 >>> Emerging (1 of 1) sys-apps/rsbac-admin-1.3.7 to /
* rsbac-admin-1.3.7.tar.bz2 RMD160 SHA1 SHA256 size ;-) 
...                                                                                                               
[ ok ]
* checking ebuild checksums ;-) 
...                                                                                                                                       
[ ok ]
* checking auxfile checksums ;-) 
...                                                                                                                                      
[ ok ]
* checking miscfile checksums ;-) 
...                                                                                                                                     
[ ok ]
* checking rsbac-admin-1.3.7.tar.bz2 ;-) 
...                                                                                                                              
[ ok ]
 >>> Unpacking source...
 >>> Unpacking rsbac-admin-1.3.7.tar.bz2 to 
/tmp/portage/sys-apps/rsbac-admin-1.3.7/work
 >>> Source unpacked.
 >>> Compiling source in
(Continue reading)

Permalink | Reply | 0 comments |
headers
outp0st | 30 Jul 2008 12:44
Picon
Favicon

Can't compile rsbad-admin tools...

Managed to solve my problem by using older version of linux headers  :-)
Permalink | Reply | 0 comments |

Gmane