[rsbac] Role to Type compatibility questions

Amon Ott ao at rsbac.org
Thu Oct 16 09:56:04 MEST 2003 

On Wednesday, 15. October 2003 22:21, Chirag Pandya wrote:
> SCENARIO 1
> I have a special directory with the following settings
> "/etc/myspecialdir"
> RC TYPE FD = 4 
> RC FORCE ROLE = 4294967292 / inh. from user on chown
> only
> RC INITIAL ROLE = 4294967291 / user force_role (root
> default)
> 
> I have a special ROLE 3 with type compatibility with
> TPYE 4 as follows
> CHDIR, CLOSE, CREATE, EXECUTE, GET_PERM_DATA,
> GET_STATUS_DATA, READ, READ_ATTR, READ_OPEN, SEARCH,
> MAP_EXEC
> 
> Questions:
> 1.  As role 3, I am able to do "vi type_3_file" in my
> special directory and write to it. Should this happen?
> /var/log/messages does complain as follows
> rc_role 3, rc_type 4 request is WRITE -> NOT_GRANTED
> request WRITE, prog_name vi, target_type DIR, Path
> /etc/myspecialdir

WRITE on a dir means that someone tries to move a file/dir there. vi seems to 
create the file somewhere else and move it there as the first choice.
 
> "vi" somehow bypasses RC.  Role 3's default create
> type is 3, and if I look closely, the newly created
> file ends up with a type 3.

The CREATE allows to create the file in a dir of type 4. The 
default_fd_create_type makes the file get type 3, so the rights to type3 
apply for OPEN, TRUNCATE, DELETE, etc.
 
> 2.  If (as role 3) in the special directory I try 
> "mv type_3_file new_type_3_file"
> this operation fails.

You have no WRITE right on the DIR, but you need it to move/rename the file. 
The above log message corresponds to this.
 
> Anyone noticed similar things?  Is "vi" a bad choice?

My standard editor joe works fine, if the edited file already 
exists, but it would also create a new file with type 3.
 
> SCENARIO 2
> I have a script as follows (myscript) 
> #!/bin/bash
> echo "hello"
> 
> with the following
> RC_TYPE_FD = 3
> RC_FORCE_ROLE = 4294967293 /inherit parent directory
> RC_INITIAL_ROLE = 4294967293
> 
> root's (role 2) compatibility with TYPE 3 are
> CHDIR, CLOSE, GET_PERMISSIONS_DATA, GET_STATUS_DATA,
> READ, READ_OPEN, SEARCH, 
> 
> Question:
> As root, this fails
> bash#./myscript
> bash# ./myscript: /bin/bash: bad interpreter:
> Operation not permitted
> 
> but this works
> bash#bash myscript
> hello
> 
> Can anyone else verify such behavior?  Am I doing
> something wrong?

This is normal Linux / bash behaviour:

In the first case, you EXECUTE the file: sys_exec is called, the kernel 
determines the bin format, starts the interpreter given in the file and runs 
it. The interpreter will then READ_OPEN the file to interpret its contents. 
So you need both EXECUTE and READ_OPEN as the starting role.

In the second case, you start bash and tell it to READ_OPEN the file and 
interpret the contents. You only need READ_OPEN.

Even without RSBAC you must give Linux x right for ./myscript, but bash 
myscript will work with r only.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list