You will need a few special options for you first RSBAC boot. If you need, we have a complete (and extensive) list of kernel parameters.
When you boot, the default RSBAC policy will disallow any setuid call. It means you will not be able to log in!
To alleviate this, you can tell RSBAC at boot time that we allow /bin/login
(the program taking care of console logins) to set uids, by adding the rsbac_auth_enable_login
parameter:
Note: please see the next paragraph before blindly following instructions here. You will probably rather use Softmode for the first boot.
lilo:
Grub:
# edit /boot/grub/grub.conf (or /boot/grub/menu.lst) or equivalent: kernel /boot/your-rsbac-kernel-image rsbac_auth_enable_login
You can now reboot and check if everything is fine. You will be able to login as root and secoff (sometimes called so, it's the Security Officer), but many things might fail to start and will not work because they are denied.
Important: An easier, and also recommanded solution is to enable the Softmode, for the first time.
As the name implies, Softmode does not enforce the RSBAC restrictions. You will still see the denied entries in RSBAC's log, but everything will work as it would on a normal system. This way, you can trigger every error and see what is getting denied and what needs to be allowed, in a flexible manner, without ever locking yourself out of the machine.
You can boot in Softmode by adding the rsbac_softmode
parameter:
lilo:
Grub:
# edit /boot/grub/grub.conf (or /boot/grub/menu.lst) or equivalent: kernel /boot/your-rsbac-kernel-image rsbac_softmode
Important: please remember to turn off the Softmode options when your system is ready and completely configured ! This is only a convenience option and could lower your system security if left on.
You can now start your computer with the RSBAC enabled kernel !
CONFIG_RSBAC_INIT_DELAY
) inside of the “General RSBAC options” in your kernel configuration
Table of Contents: RSBAC Handbook
Previous: Choosing the right package
Previous alternative: Installing Administration Tools from source
Next: Configuration