[grsec] pax and kaspersky kavscanner

Jens-Uwe Katolla katolla at otris.de
Tue Mar 8 05:24:10 EST 2005


Ok, but now i am confised about the rsbac documentation,
if i use chpax -m and start the scanner with option -f meaning 
ignore the bad signature the scanner works. So i thought M would be the 
right option in the grsecurity policy file. So i added the following line:

subject /opt/kav/bin/kavscanner M

but this did not help at all.

Reading the documentation on the grsecurity homepage (which is outdated 
and only about version 1.5) it says M is the right option to disable the 
memprotect feature of pax.

Reading the sample policy says M would mean "M -> audit the setuid/setgid 
creation/modification"

so what is the correct config for /etc/grsec/policy or where can i find 
recent documentation?

This pax stuff is great, but it seams the documentation is way behind.

On Tue, 8 Mar 2005 pageexec at freemail.hu wrote:

> > But i think it could be nice to have a config file where i can tell which 
> > executables are unclean and where pax should drop some of it checking 
> > features or does that open to many holes in the pax system? Maybe as an 
> > compile-time option like softmode.
> 
> what you are describing is a sort of access control for the file
> system and that's what grsecurity/RSBAC/SElinux are for, it's a
> very intentional choice on my part to not do this in PaX itself.
> 
> 

-- 
Jens-Uwe Katolla                         katolla at otris.de

otris software AG                        http://www.otris.de
Landgrafenstr. 153                       Fon  +49 (0)231  95 80 69 -0
D-44139 Dortmund                         Fax  +49 (0)231  95 80 69 -44




More information about the grsecurity mailing list