When trying to load gradm on boot, as early as possible, I'm running into problems.
The mountfs boot script doesn't mount / read-write until after kernfs, udev, swap, and checkfs. Gradm learning can't save it's log until filesystems are mounted writable, and gradm doesn't work without /dev/grsec. So I think /dev/grsec should become an essential device, created before udev is loaded, so gradm can be enabled as soon as possible. I think /etc/rc.d/init.d/grsec should be the first boot script, and if necessary mount a writable tmpfs for the learning log, maybe under /root. In particular I want acl rules for /sbin/agetty and /bin/login. It looks like /bin/login is what needs capabilities. I'm thinking to make /bin/login executable only by the 'login' group, which agetty and sshd users are a part of, and give /bin/login CAP_CHOWN, CAP_FOWNER, CAP_FSETID, CAP_SETGID, and CAP_SETUID, so agetty and sshd users can drop root, except that normal users also use /bin/login. Filesystem Posix capabilities markings do not distinguish, yet, between owner, group, and other permissions. Perhaps /bin/login needs to be copied to /bin/login.caps, to deal with suid logins. We have exactly the same problem with /bin/dd feeding klogd... /bin/dd has sys_cap_admin capabilities. Gradm acl's can enforce these rules, but I also want userland (libcap and file system permissions) to only give permissions as needed, so that gradm acl's shouldn't need enforcement, and so logs of acl violations are kept to a minimum. Libcap gives the program the guns, and gradm acl's strip searches the program to check that they only have the guns they are authorized to have. We need both... one can not be depended on to replace the other. I'm curious if there is advice for me on how to generalize the issue with /bin/login and /bin/dd (for klogd), and loading gradm very early during boot. robert
pgpMWfVyFGuwP.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
