On Wed, Feb 18, 2009 at 02:25, Javier J. Martínez Cabezón <[email protected]> wrote: > Hi, I think that /sbin/rc should be changed from a shell script, the > reason is that with gentoo hardened, security policies could be done > removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my > setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and > CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others > utmp has owner as audit user. Since root has not capabilities this > file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a > minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's > a bash shell-script, and granting it to mv, chmod etc is not a good > idea as you can suppose :). Could it be done?
Beyond the fact that rsbac-admin and rsbac-sources have been removed, there's no reason you can't do this. In my ~ARCH hardened systems with openrc, /sbin/rc is a binary and not a shell script.
