[rsbac] RSBAC: Inconsistencies, confusion galore...

Michael Chang rsbac@rsbac.org
Fri Jan 3 08:41:01 2003

Hi, folks.

I'm having a problem, here.  Well, several, actually.

Here's one:
When I use attr_set_fd to tell rsbac to log all EXECUTE 
requests for /sbin/ifconfig, it appears as though all of the 
log_program_based bits are cleared.

[secoff@polaris rsbac]$ attr_set_fd -v GEN FILE log_program_based EXECUTE 
attr_set_fd: 1 targets
Processing FILE '/sbin/ifconfig', attribute log_program_based, value 0

[secoff@polaris rsbac]$ attr_get_fd -v GEN FILE log_program_based 
attr_get_fd: 1 targets
Processing FILE '/sbin/ifconfig', attribute log_program_based
/sbin/ifconfig: Returned value: 00000000000000000000000000000000000000000000

Now, when I run /sbin/ifconfig, nothing gets logged (nothing in the kernel 
logs, and nothing in /proc/rsbac-info/rmsg).  I know that logging does 
work, since it get request notifications for other actions.

Am I using the wrong utility?  Based upon the behaviour of attr_set_fd, it 
appears as though it *is* the correct utility.  Which leads me to another 
question: What is the difference between FILE and FD?  In my 
understanding, FD (or 'fd') is lingo for 'file descriptor', and file 
descriptors only apply to "files" which are currently open in a process.
However, the rsbac utilities imply, in their usage output, that FD is a 
shortcut which can be applied against both files and directories (but not 
device files).  There appears to be a discrepancy, then, since there is an 
attr_set_file_dir utility --- this implies that an FD is *not* the same as 
a FILE or DIR, otherwise three separate utilities wold not exist.  
Therefore, the only logical conclusion that I can come up 
with is that FD can only be used against files which have been opened (by 
open(), etc.) by a currently running process.  If I'm wrong, please let 
me know.  I'm confused up to my ears.
The same logic that I used above is also applicable to the 3 utilities,
'attr_set_up', 'attr_set_user', and 'attr_set_process'.  If attr_set_up 
can be applied to both processes and users, then why do there exist 
separate utilities for changing the attributes for processes and users?
Again, I'm confused up to my ears.

Another question: What is the relationship between AUTH and CAPABILITIES 
in the context of the RSBAC implementation?

More questions: What is the difference between the acl_rights and 
acl_tlist utilities?  When setting rights for a target of type PROCESS, 
are those rights only retained for the lifetime of a process, or do the 
rights apply indefinitely for each and every subsequent invocation of an 
executable which produces the same process image?  When I remove the 
DELETE attribute for an executable, does it mean that the executable 
itself can no longer be deleted, or does it mean that the executable 
cannot call unlink()?  Have I mentioned, yet, that I'm confused up to my 
ears?  :)

I hope someone has the time to reply with some answers.  I'm unable to 
find any man pages for the utilities, so some guidance would be 


* "Afraid of change, afraid of staying the same,
*  when temptation calls, we just look away."
*  - Barenaked Ladies
* "He started writing in mirror writing, 'Help! I'm
*  trapped behind the world.'"
*  - New York State Journal of Medicine
* Michael Chang
* miranda@uranus.com
* http://www.syndetic.org/