[rsbac] Role to Type compatibility questions
Chirag Pandya
searchformehere at yahoo.com
Wed Oct 15 14:21:19 MEST 2003
SCENARIO 1
I have a special directory with the following settings
"/etc/myspecialdir"
RC TYPE FD = 4
RC FORCE ROLE = 4294967292 / inh. from user on chown
only
RC INITIAL ROLE = 4294967291 / user force_role (root
default)
I have a special ROLE 3 with type compatibility with
TPYE 4 as follows
CHDIR, CLOSE, CREATE, EXECUTE, GET_PERM_DATA,
GET_STATUS_DATA, READ, READ_ATTR, READ_OPEN, SEARCH,
MAP_EXEC
Questions:
1. As role 3, I am able to do "vi type_3_file" in my
special directory and write to it. Should this happen?
/var/log/messages does complain as follows
rc_role 3, rc_type 4 request is WRITE -> NOT_GRANTED
request WRITE, prog_name vi, target_type DIR, Path
/etc/myspecialdir
"vi" somehow bypasses RC. Role 3's default create
type is 3, and if I look closely, the newly created
file ends up with a type 3.
2. If (as role 3) in the special directory I try
"mv type_3_file new_type_3_file"
this operation fails.
Anyone noticed similar things? Is "vi" a bad choice?
SCENARIO 2
I have a script as follows (myscript)
#!/bin/bash
echo "hello"
with the following
RC_TYPE_FD = 3
RC_FORCE_ROLE = 4294967293 /inherit parent directory
RC_INITIAL_ROLE = 4294967293
root's (role 2) compatibility with TYPE 3 are
CHDIR, CLOSE, GET_PERMISSIONS_DATA, GET_STATUS_DATA,
READ, READ_OPEN, SEARCH,
Question:
As root, this fails
bash#./myscript
bash# ./myscript: /bin/bash: bad interpreter:
Operation not permitted
but this works
bash#bash myscript
hello
Can anyone else verify such behavior? Am I doing
something wrong?
Regards
--Chirag
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
More information about the rsbac
mailing list