INSTALL
Install the rpms in the following way and order:
- rpm -Uhv rsbac-admin-1.2.N-bfM.fcX.NN.i386.rpm
- rpm -ihv --oldpackage kernel-2.6.x-rsbac_v1.2.N_bfM_pax_soft.i686.rpm
If you want to try also the scripts
- rpm -Uhv rsbac-scripts-N-fcX.NN.noarch.rpm
NOTES:
- It could happen that the kernel option "rsbac_softmode" is added also to
non rsbac kernels during installation, please check your bootloader
configuration before reboot
- Some kernel are installed with the option "rsbac_softmode" if in tests
there have been problems with initrd, some kernels do not have this
options. ALWAYS test if you can boot in Secure mode and in case remove
the option
- You can also be interested in the following kernel options (some only
from rsbac-v1.2.4)
- rsbac_auth_enable_login: Sets auth_may_setuid for /bin/login, if AUTH
module is on. A good emergency helper, if you cannot login anymore.
- rsbac_softmode (only, if enabled on kernel config): switch to softmode
- rsbac_softmode_once (only, if enabled on kernel config): switch to softmode
and disallow to switch it on again later
- rsbac_softmode_never (only, if softmode enabled on kernel config):
disallow to switch softmode on during this runtime
- rsbac_softmode_ (module name in lowercase, e.g. rc, only if enabled):
switch individual model softmode to on
- rsbac_freeze (only, if enabled in kernel config): Disallow RSBAC
administration for this runtime.
- rsbac_nosyslog: Disallow logging to syslog, you can get at the new logging
source with rsbac_klogd from admin tools contrib or
"cat /proc/rsbac-info/rmsg" as secoff (uid 400).
- You could be interested to use the "rsbac_cap_process_hiding" kernel
option too
- During the rsbac-admin installation the user secoff is created,
but you must add the password by hand before reboot with the rsbac kernel
otherwise you cannot login as secoff
- If you install the rsbac-scripts check /etc/sysconfig/rsbac and
be sure to allow MANUAL softmode for the first boot with an RSBAC kernel
- keep an original RedHat kernel, you never know what could happen, and
leave it as default boot until your are sure of everything working
- if you do not use the rsbac-scripts, after the boot with the rsbac kernel
you are on your own
- if you use the rsbac-scripts, after the first boot in softmode (MANUAL)
login as secoff and cd to scripts/ and read the docs in docs/, then
- configure the scripts in etc/
- run the scripts with "scripts/bin/runall start"
- reboot again for a clean start
Please help develop these scripts.
Andrea Pasquinucci
cesare-AT-ucci.it