From: Amon Ott <ao@rsbac.org>
To: RSBAC List <rsbac@rsbac.org>
Cc: linux-kernel@vger.kernel.org,
Suse-Security <suse-security@suse.com>,
sec@linux-sec.net
Subject: Announce: RSBAC v1.2.2 released
Date: Tue, 5 Aug 2003 09:49:25 +0200 [thread overview]
Message-ID: <19jwX7-28IRrE0@fmrl00.sul.t-online.com> (raw)
Hello!
Rule Set Based Access Control (RSBAC) version 1.2.2 has been released.
Full information and downloads are available from http://www.rsbac.org
RSBAC is a flexible, powerful and fast open source access control framework
for current Linux kernels, which has been in stable production use since
January 2000 (version 1.0.9a). All development is independent of governments
and big companies, and no existing access control code has been reused.
The system includes a big range of decision modules, some of which implement
professional access control models like ACL, MAC or Role Compatibility. It
supports both 2.4 and 2.2 kernel series. Now that 2.6 seems to stabilize, the
port to 2.6.0-test is in progress.
New features compared to version 1.2.1:
- Malware scanning:
- Added ms_need_scan attribute for selective scanning
- MS module support for F-Protd as scanning engine
- ms_need_scan FD attribute for selective scanning
- MS module support for clamd as scanning engine.
- Jails:
- JAIL flag allow_inet_localhost to additionally allow to/from
local/remote IP 127.0.0.1
- Resource Control:
- New RES module with minimum and maximum resource settings for
users and programs
- Authentication Enforcement:
- Moved AUTH module to generic lists with ttl
- Added caps and checks for effective and fs owner to AUTH module
(optional)
- Linux Capabilities:
- New Process Hiding feature in CAP module
- MAC / Bell-LaPadula:
- Almost complete reimplementation of the MAC model with many new
features.
- General:
- RSBAC syscall version numbers
- Added new requests CHANGE_DAC_(EFF|FS)_OWNER on PROCESS targets
for seteuid and setfsuid (configurable)
- Changed behaviour on setuid etc.: Notification is always sent, even
if the uid was set to the same value. This allows for restricted RC
initial roles with correct role after setuid to root.
- Delayed init for initial ramdisks: delay RSBAC init until the first
real or a specific device mount.
- rsbac_init() syscall to trigger init by hand, if not yet
initialized - can be used with e.g. rsbac_delayed_root=99:99, which
will never trigger init automatically.
- New system role 'auditor' for most models, which may read and flush
RSBAC own log.
Amon Ott.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
reply other threads:[~2003-08-05 7:47 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=19jwX7-28IRrE0@fmrl00.sul.t-online.com \
--to=ao@rsbac.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rsbac@rsbac.org \
--cc=sec@linux-sec.net \
--cc=suse-security@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).