INSTALL Install the rpms in the following way and order: rpm -Uhv rsbac-admin-1.2.N-bfM.fcX.NN.i386.rpm rpm -ihv --oldpackage kernel-2.6.x-rsbac_v1.2.N_bfM_pax_soft.i686.rpm If you want to try also the scripts rpm -Uhv rsbac-scripts-N-fcX.NN.noarch.rpm NOTES: - It could happen that the kernel option "rsbac_softmode" is added also to non rsbac kernels during installation, please check your bootloader configuration before reboot - Some kernel are installed with the option "rsbac_softmode" if in tests there have been problems with initrd, some kernels do not have this options. ALWAYS test if you can boot in Secure mode and in case remove the option - You can also be interested in the following kernel options (some only from rsbac-v1.2.4) - rsbac_auth_enable_login: Sets auth_may_setuid for /bin/login, if AUTH module is on. A good emergency helper, if you cannot login anymore. - rsbac_softmode (only, if enabled on kernel config): switch to softmode - rsbac_softmode_once (only, if enabled on kernel config): switch to softmode and disallow to switch it on again later - rsbac_softmode_never (only, if softmode enabled on kernel config): disallow to switch softmode on during this runtime - rsbac_softmode_ (module name in lowercase, e.g. rc, only if enabled): switch individual model softmode to on - rsbac_freeze (only, if enabled in kernel config): Disallow RSBAC administration for this runtime. - rsbac_nosyslog: Disallow logging to syslog, you can get at the new logging source with rsbac_klogd from admin tools contrib or "cat /proc/rsbac-info/rmsg" as secoff (uid 400) - You could be interested to use the "rsbac_cap_process_hiding" kernel option too - During the rsbac-admin installation the user secoff is created, but you must add the password by hand before reboot with the rsbac kernel otherwise you cannot login as secoff - If you install the rsbac-scripts check /etc/sysconfig/rsbac and be sure to allow MANUAL softmode for the first boot with an RSBAC kernel - keep an original RedHat kernel, you never know what could happen, and leave it as default boot until your are sure of everything working - if you do not use the rsbac-scripts, after the boot with the rsbac kernel you are on your own - if you use the rsbac-scripts, after the first boot in softmode (MANUAL) login as secoff and cd to scripts/ and read the docs in docs/, then 1. configure the scripts in etc/ 2. run the scripts with "scripts/bin/runall start" 3. reboot again for a clean start Please help develop these scripts. Andrea Pasquinucci cesare-AT-ucci.it