RSBAC Changes in recent versions -------------------------------- 1.2.4: - Add user management tools with all {user|group}{add|mod|del} functionality - Add GROUP target to tools - Add PAM and NSSwitch modules to access the new user management to contrib dir - Cross linked HTML output in rc_get_item htmlprint. - Add rsbac_list_ta tool for transaction support for administration: begin, add a set of desired changes, commit atomically or forget. Change all existing tools to use transaction numbers. - Correct role and type values in rc_getname item parameters. - Add rc_copy_type - Add RC type copying to rsbac_rc_type_menu - Add PaX default value switch to attr_back_fd, because PaX defaults are now configurable. 1.2.3: - Made librsbac.a a dynamic lib librsbac.so with version numbers - Added PaX module support - Added support for new attributes - RC pretty-print config output with rc_get_item print - Reject unknown usernames in all tools instead of using numerical value 0. - Fix admin tools segfault when using -V without parameter - New rc_get_current_role - New mac_set_trusted tool for mac_trusted_for_user with list instead of single user. - Change ''rsbac_jail'' syntax to make ''chroot()'' and IP address optional - New optional rsbac_jail parameter max_caps, which limits the Linux capabilities of all processes in the jail - New JAIL module regression suite in contrib - Added backup of RES user settings 1.2.2: - Added MS need_scan attribute - Syscall version numbers - New attributes for RES module - rsbac_init tool for delayed init - New AUTH caps for eff/fd owner in FD menu - MAC wrap and attribute changes for new MAC implementation - New system role Auditor in user menu 1.2.1: - Removed target type checks, which are now all in kernel (including FD target type). - Added recursion support for attr_back_dev. - Added JAIL module support - Added logging of all RSBAC setting modifications through menues (RSBACLOGFILE setting) 1.2.0: - Added module parameter to all rsbac_get/set_attr calls - Updated user menu to use new mac_role etc. instead of system_role - Added min/max_cap attributes - Changed RC menues to support unlimited roles and types and 32 Bit values - Added rsbac_dialog, a copy of standard dialog with several enhancements (like --menu3 with help button) - Changed menues and tools to support new NET targets - Added help to all menues - Added network and network template menues - Added ttl support to ACL tools and menues - Added ttl support in RC tools - Updated rsbac_dialog and moved to subdir (Thanks to Stanislav again) 1.1.2: - Changed build process to autoconf/automake (Stanislav Ievlev) - Added dialog tool check to menues - Added SYMLINK target support to most tools and menues - Got REG samples moved from kernel part to examples/reg - Removed write_list feature from rsbac_pm - added rc_initial_role to FD tools - added ff_flag append_only - changed tmp file allocation to mktemp - added contrib/rsu (RC role-su) by Stanislav Ievlev - added linux2acl, a Linux rights to ACL converter - attr_back_fd now supports MAC with and without def_inherit 1.1.1: - Support for FIFO targets added - Internationalization added for command line tools, languages ru and de - attr_[gs]et_fd now support FD target - *_back_* now need a switch for *not* writing to stdout 1.1.0: - 'copy rights to type' added to rc_set_item and rsbac_rc_role_menu 1.0.9c: - acl_rm_user added - file/dir selection changed in menues - examples/backup_all added - new rsbac-klogd 1.0.9b: - Support for 32 Bit Uids/Gids - Support for new attributes log_program_based and log_user_based - Support for AUTH cap ranges - Support for new MAC security levels 0-252 - Removed obsolete useraci file installation - Russian menues and man pages added (thanks to our Russian team, see rus/README) 1.0.9a: - Added acl_group for full ACL group administration - Updated and changed RC tools for new separation of duty - Added ACL menu tools, with necessary additions to command line tools - Updated menues for new RC force role inherit_up_mixed 1.0.9: - Added support for long file/dir names and for those with spaces to rsbac_fd_menu - Changed rc_get_item, rc_set_item and rsbac_rc_role_menu to support the changed RC model. The new model distinguishes between all requests for role to type compatibility, allowing for much finer security settings. - Added acl_rights, acl_tlists, acl_grant and acl_mask for complete ACL model administration 1.0.8: - Added RC attributes - Wrote RC admin tools: rc_copy_role, rc_get_item, rc_set_item, rc_role_wrap - Wrote rsbac_rc_role_menu and rsbac_rc_type_menu - Added AUTH attributes to file/dir and process tools - Wrote AUTH admin tools auth_set_cap and auth_back_cap - Added MAC category support to most tools and to most menus - Wrote mac_wrap_cat, a simple category wrapper similar to mac_wrap for security levels. - Made tools compliant to glibc 1.0.7a: - Added recursion to attr_set_fd - Added recursive attr_rm_fd and attr_rm_file_dir to reset all attribute values to defaults for a target by removing the list entry. - Added resetting to rsbac_fd_menu 1.0.7: - Added inherit values to security_level, object_category and data_type in rsbac_fd_menu - Added menu item to change between effective and real attribute values - Added support for different screen sizes - if LINES and COLUMNS are exported from bash (e.g. in /etc/profile) 1.0.6: - Changed rsbac_fd_menu and rsbac_process_menu to tristate ms_trusted - Added attribute ff_flags with bit values to rsbac_fd_menu - Added rsbac_check to call sys_rsbac_check(), which checks attribute consistency 1.0.5: - rsbac_write added to call sys_rsbac_write = save attributes now - mac_wrap added to start a program with changed maximum security level (not the process owner's), e.g. from inetd - user_aci.sh added to set default roles with maintenance kernel 1.0.4: - Attributes mac_trusted_for_user, ms_sock_trusted_tcp/udp added to FILE utils - Attributes ms_sock_trusted_tcp/udp added to process utils - Attributes ms_trusted, ms_sockbuf, ms_str_nr, ms_str_offset, ms_scanned added to ipc utils - Attribute object_type removed from ipc utils, as in kernel - was IPC all the time anyway - Adjusted syscall return value interpretation to 2.1 kernels 1.0.3: - Target DEV added to file/dir utilities. rsbac_dev_menu added. Now devices can get their own attributes based on major/minor numbers, not only based on their file representations in /dev, which can be easily duplicated. - Attribute object_type removed from rsbac_fd_menu, was not used anyway and removed in rsbac/kernel. - attr_back_fd added. (Recursive) backup of all attribute values for those files/dirs given in command line. Only non-default values are saved. Output script file contains all attr_set_file_dir calls needed to restore. - Similar attr_back_user and attr_back_dev added. - Attributes log_array_low and log_array_high added to file/dir/dev utils. - Administration menu for (file/dir/dev X request) log levels added to rsbac_fd_menu and rsbac_dev_menu. - Command line utils also got log_level special options. 20/Apr/2001 Amon Ott