Re: [gentoo-hardened] persistent paxctl -m?

On Vas, �prilis 12, 2009 02:03, Grant wrote:
>> If you employ GRsecurity's RBAC, you can use PAX flags, like
>> "PAX_MPROTECT" on a given subject (binary). Take a look at on the
>> example
>> policy file.
>
> Do you guys think RBAC or /etc/portage/bashrc is a better choice for
> this? Maybe RBAC is overkill if this is all I'll be using it for?
>

It takes time to refine a policy and it needs some tuning from time to time. If you haven't utilized any RBAC (Grsecurity, RSBAC) on your system yet, it's high time to give it a try.
So I should say, that bashrc is not the best choice from the security point of view, but in the mean time it's not an overkill either...

Regards:
Dw.

>
>>>>>> and create executable shell script in that dir:
>>>>>> mozilla-firefox-bin.postinst
>>>>>> ---cut---
>>>>>> #!/bin/bash
>>>>>> ewarn "Running chpax -m /opt/firefox/firefox-bin to avoid crash on
>>>>>> flash!"
>>>>>> chpax -m /opt/firefox/firefox-bin
>>>>>> ---cut---
>>>>>>
>>>>>
>>>>> Of course, if you compile firefox instead of using firefox-bin, then
>>>>> file
>>>>> should be named mozilla-firefox.postinst and you should use there
>>>>> paxctl
>>>>> instead of chpax.
>>>>>
>>>> A simple cron job or slightly-less-simple RBAC policy can do the
>>>> trick.
>>>> There's no need to mess with portage, imho.
>>>
>>> Thanks for the suggestions everyone.  I think this type of persistence
>>> should be built into portage.  Maybe /etc/portage/package.nomprotect.
>>> Do you agree?  Should I file a bug?
>>>
>>> - Grant
>

• This message: [ Message body ]
• Next message: Thomas Sachau: "Re: [gentoo-hardened] "does not have a PT_PAX_FLAGS program header, try conversion""
• Previous message: Grant: "Re: [gentoo-hardened] persistent paxctl -m?"
• In reply to: Grant: "Re: [gentoo-hardened] persistent paxctl -m?"
• Next in thread: Ned Ludd: "Re: [gentoo-hardened] persistent paxctl -m?"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]