documentation:rsbac_handbook:installation:first_boot
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Preparing your boot loader

You will need a few special options for you first RSBAC boot. If you need, we have a complete (and extensive) list of kernel parameters.

When you boot, the default RSBAC policy will disallow any setuid call. It means you will not be able to log in! To alleviate this, you can tell RSBAC at boot time that we allow /bin/login (the program taking care of console logins) to set uids, by adding the rsbac_auth_enable_login parameter: Note: please see the next paragraph before blindly following instructions here. You will probably rather use Softmode for the first boot.

lilo: FIXME

Grub:

# edit /boot/grub/grub.conf (or /boot/grub/menu.lst) or equivalent:
kernel /boot/your-rsbac-kernel-image rsbac_auth_enable_login

You can now reboot and check if everything is fine. You will be able to login as root and secoff (sometimes called so, it's the Security Officer), but many things might fail to start and will not work because they are denied.

Important: An easier, and also recommanded solution is to enable the Softmode, for the first time.

What is Softmode ?

As the name implies, Softmode does not enforce the RSBAC restrictions. You will still see the denied entries in RSBAC's log, but everything will work as it would on a normal system. This way, you can trigger every error and see what is getting denied and what needs to be allowed, in a flexible manner, without ever locking yourself out of the machine.

You can boot in Softmode by adding the rsbac_softmode parameter:

lilo: FIXME

Grub:

# edit /boot/grub/grub.conf (or /boot/grub/menu.lst) or equivalent:
kernel /boot/your-rsbac-kernel-image rsbac_softmode

Important: please remember to turn off the Softmode options when your system is ready and completely configured ! This is only a convenience option and could lower your system security if left on.

You can now start your computer with the RSBAC enabled kernel !

Troubleshooting boot problems

  • Are you using a ramdisk or initrd ?
    • If so you will need to check the “Delayed init for initial ramdisk” option (CONFIG_RSBAC_INIT_DELAY) inside of the “General RSBAC options” in your kernel configuration



Table of Contents: RSBAC Handbook
Previous: Choosing the right package
Previous alternative: Installing Administration Tools from source
Next: Configuration

//
documentation/rsbac_handbook/installation/first_boot.txt · Last modified: 2009/01/12 11:38 by 127.0.0.1

documentation/rsbac_handbook/installation/first_boot.txt · Last modified: 2009/01/12 11:38 by 127.0.0.1
This website is kindly hosted by m-privacy