GENERAL:
- the RSBAC protection given by these scripts is quite generic
for special needs make your own configuration
- the kernel is booted in softmode for problems with initrd
- you can switch softmode off either as the first of the init.d scripts
or as the last, or by hand, by changing the config in /etc/sysconfig/rsbac
- the default configuration uses File Flags to protect most top directories
and the protection is inherited by all files inside them recursively
- notice that /etc is readonly by default, which means that you cannot
do many things like, for example, changing passwords !!!
- also software update with rpm does not work, so you must stop any
program which downloads automatically and installs rpms (like rhnd)
they will miserably fail due to the fact that most directories are readonly
- ALL MAINTENANCE SHOULD BE DONE ACTIVATING BY HAND SOFTMODE as secoff
then doing as root upgrades, installations, changes of passwords etc.
(you'll have tons of messages in the logs of violations in SoftMode,
which means that the command has been executed but it violated some RSBAC
rules) at the end of your maintenance, as secoff switch off softmode
again; it is better to re-run these scripts to update any modified
configurations (usually running './runall start' is safe, there should not
be need to first stop and then start again)
- to switch softmode on/off (1/0) use as secoff the command
switch_module SOFTMODE 1 (or switch_module SOFTMODE 0)