=>  Releases

Current version
Git/Snapshot: 1.5.3
Release: 1.5.0

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

About RSBAC upgrades

This document covers the upgrade steps to be followed after each major RSBAC release. If you missed some major upgrade and directly upgrade to the last RSBAC release, you can scroll down and find the changes that will affect you during your upgrade process.

Important: Please always refer to this document before proceeding to an RSBAC upgrade. It will always reflect the latest important changes.



Table of Contents: RSBAC Handbook
Previous: Maintenance
Next: Backup and Restore



Upgrading from v1.3.x to v1.4.0

  • Install the new kernel, install new tools, and reboot. Nothing special here, all lists get upgraded automatically.

Upgrading from v1.2.x to v1.3.0

  • Compile and install new version as usual, but with Softmode and RSBAC own logging support (see Quick install). Attention: After installing the new admin tools, you can only use the proc interface to change settings until you reboot!
  • Reboot into new kernel with kernel parameters rsbac_softmode and rsbac_nosyslog - the system will most likely be unusable without them.
  • You can get at the new logging source with “cat /proc/rsbac-info/rmsg” as secoff (uid 400). If you want, you can install rsbac_klogd from admin tools contrib which essentially does the same job, but calls setuid(400) itself and logs to a file, or use syslog-ng and specify /proc/rsbac-info/rmsg as additional logging source.
  • RC/ACL: If additional CHANGE_OWNER on USER check has been enabled: Add CHANGE_OWNER right to USER targets for users, roles, groups - the log will tell you. (rsbac_rc_role_menu, rsbac_acl_menu).
  • RC/ACL: If you use RSBAC User Management, make sure to allow the new AUTHENTICATE request on your USER targets for all processes that need to check passwords.
  • RC/ACL: As named Unix sockets are now FD targets, add network access rights to their types. Use role setting def_unixsock_create_type, if you prefer different RC types for sockets.
  • RC/ACL: As unnamed Unix sockets are now IPC unixsock targets, add network related access rights to your IPC types or ACL :DEFAULT: target.
  • Network Templates: Although upgrading is automatic, consider merging templates. Now you can use up to 25 IP addresses and up to 10 port ranges in one single template. Remove UNIX templates, they have no meaning here, because Unix sockets are now IPC unixsock (unnamed) and UNIXSOCK targets (named, FD target).
  • Restart important services, e.g. sshd, and check for problematic log messages.
  • When the system seems to run fine without problems, reboot without softmode (you can turn off softmode with “switch_module SOFTMODE 0” and reboot later, but you should check whether the system comes up correctly ASAP).
  • (optional) When happy, recompile kernel without softmode and reinstall.
  • Report any missing items or problems to the mailing list and/or the Bugtracker (SSL).

Upgrading from v1.2.5 to v1.2.x

  • The 1.2 series functionality has been frozen with 1.2.5, so all upgrades from 1.2.5 to any later 1.2.x should work without handwork. Just compile the new kernel and tools version, install and reboot.

Upgrading from v1.2.4 to v1.2.5

  • Compile and install new version as usual, but with Softmode and RSBAC own logging support (see Quick install). Attention: After installing the new admin tools, you can only use the proc interface to change settings!
  • Reboot into new kernel with kernel parameters rsbac_softmode and rsbac_nosyslog - the system will most likely be unusable without them.
  • You can get at the new logging source with “cat /proc/rsbac-info/rmsg” as secoff (uid 400). If you want, you can install rsbac_klogd from admin tools contrib which essentially does the same job, but calls setuid(400) itself and logs to a file.
  • RC: Add IOCTL right for all roles to DEV and NETOBJ types as required - the log will tell you. It is advisable to use the new device major objects (rsbac_rc_role_menu).
  • RC: Add GET_PERMISSIONS_DATA and MODIFY_PERMISSIONS_DATA rights for all roles to tty devices as required - the log will tell you. It is advisable to use the new device major objects (rsbac_rc_role_menu).
  • RC/ACL: Add GET_STATUS_DATA and MODIFY_SYSTEM_DATA rights to the new SCD targets quota, sysctl, nfsd, ksyms and mlock as required.
  • RC/ACL: Add ADD_TO_KERNEL and REMOVE_FROM_KERNEL rights to the swap devices and files (DEV and FILE targets) as required.
  • ACL: Add IOCTL right for all subjects to DEV and NETOBJ objects as required - the log will tell you. It is advisable to use the new device major ACLs (rsbac_acl_menu).
  • Restart important services, e.g. sshd, and check for problematic log messages.
  • When the system seems to run fine without problems, reboot without softmode (you can turn off softmode with “switch_module SOFTMODE 0” and reboot later, but you should check whether the system comes up correctly ASAP).
  • (optional) When happy, recompile kernel without softmode and reinstall.
  • Report any missing items or problems to the mailing list and/or the Bugtracker (SSL).

Upgrading from v1.2.3 to v1.2.4

  • Compile and install new version as usual, but with Softmode support (see Quick install). Attention: After installing the new admin tools, you can only use the proc interface to change settings!
  • Reboot into new kernel with kernel parameter rsbac_softmode.
  • If the system is unusable because of too many logging messages running through, enable RSBAC own log facility in RSBAC kernel configuration (if not yet there), reinstall (dito) and turn off syslog logging with rsbac_nosyslog kernel parameter. You can get at the new logging source with rsbac_klogd from admin tools contrib or “cat /proc/rsbac-info/rmsg” as secoff (uid 400).
  • RC: Add GET_STATUS_DATA right for all roles to NETOBJ types as required - the log will tell you (rsbac_rc_role_menu).
  • RC: With option “RC check access to UNIX partner process”: Add CONNECT, ACCEPT, SEND and RECEIVE rights for all roles to PROCESS types as required - the log will tell you (rsbac_rc_role_menu).
  • RC: With User management: Add rights for all roles to USER and GROUP types as required - the log will tell you (rsbac_rc_role_menu).
  • ACL: With User management: Add rights to USER and GROUP :DEFAULT: or individual users and groups as required - the log will tell you (rsbac_acl_menu).
  • Restart important services, e.g. sshd, and check for problematic log messages.
  • When the system seems to run fine without problems, reboot without softmode (you can turn off softmode with “switch_module SOFTMODE 0” and reboot later, but you should check whether the system comes up correctly ASAP).
  • (optional) When happy, recompile kernel without softmode and reinstall.
  • Report any missing items or problems to the mailing list and/or the Bugtracker (SSL).

Upgrading from v1.2.2 to v1.2.3

  • Compile and install new version as usual, but with Softmode support (see Quick install). Attention: After installing the new admin tools, you can only use the proc interface to change settings!
  • JAIL: Change all calls to rsbac_jail tool in your init scripts to the new syntax: chroot-dir and IP are now optional with -R and -I. You should consider using the new Linux capability limitation in JAIL module.
  • Reboot into new kernel with kernel parameter rsbac_softmode.
  • If the system is unusable because of too many logging messages running through, enable RSBAC own log facility in RSBAC kernel configuration (if not yet there), reinstall (dito) and turn off syslog logging with rsbac_nosyslog kernel parameter. You can get at the new logging source with rsbac_klogd from admin tools contrib or “cat /proc/rsbac-info/rmsg” as secoff (uid 400).
  • RC: Add GET_STATUS_DATA and MODIFY_SYSTEM_DATA right for all roles to DEV and PROCESS types as required - the log will tell you (rsbac_rc_role_menu).
  • ACL: Add GET_STATUS_DATA and MODIFY_SYSTEM_DATA right to DEV and PROCESS :DEFAULT: ACLs as required (rsbac_acl_menu).
  • MAC: “attr_set_file_dir MAC FILE mac_trusted_for_user " is no longer supported and has been replaced with: “mac_set_trusted [switches] TYPE add/remove target user1 user2 ...”
  • Restart important services, e.g. sshd, and check for problematic log messages.
  • When the system seems to run fine without problems, reboot without softmode (you can turn off softmode with “switch_module SOFTMODE 0” and reboot later, but you should check whether the system comes up correctly ASAP).
  • (optional) When happy, recompile kernel without softmode and reinstall.
  • Report any missing items or problems to the mailing list and/or the Bugtracker (SSL).
 

documentation/rsbac_handbook/maintenance/upgrade_and_migration.txt · Last modified: 2009/01/12 12:18 by ao
This website is kindly hosted by m-privacy