[grsec] pax and kaspersky kavscanner
Jens-Uwe Katolla
katolla at otris.de
Tue Mar 8 05:24:10 EST 2005
Ok, but now i am confised about the rsbac documentation,
if i use chpax -m and start the scanner with option -f meaning
ignore the bad signature the scanner works. So i thought M would be the
right option in the grsecurity policy file. So i added the following line:
subject /opt/kav/bin/kavscanner M
but this did not help at all.
Reading the documentation on the grsecurity homepage (which is outdated
and only about version 1.5) it says M is the right option to disable the
memprotect feature of pax.
Reading the sample policy says M would mean "M -> audit the setuid/setgid
creation/modification"
so what is the correct config for /etc/grsec/policy or where can i find
recent documentation?
This pax stuff is great, but it seams the documentation is way behind.
On Tue, 8 Mar 2005 pageexec at freemail.hu wrote:
> > But i think it could be nice to have a config file where i can tell which
> > executables are unclean and where pax should drop some of it checking
> > features or does that open to many holes in the pax system? Maybe as an
> > compile-time option like softmode.
>
> what you are describing is a sort of access control for the file
> system and that's what grsecurity/RSBAC/SElinux are for, it's a
> very intentional choice on my part to not do this in PaX itself.
>
>
--
Jens-Uwe Katolla katolla at otris.de
otris software AG http://www.otris.de
Landgrafenstr. 153 Fon +49 (0)231 95 80 69 -0
D-44139 Dortmund Fax +49 (0)231 95 80 69 -44
More information about the grsecurity
mailing list