[rsbac] Role to Type compatibility questions
Amon Ott
ao at rsbac.org
Thu Oct 16 09:56:04 MEST 2003
On Wednesday, 15. October 2003 22:21, Chirag Pandya wrote:
> SCENARIO 1
> I have a special directory with the following settings
> "/etc/myspecialdir"
> RC TYPE FD = 4
> RC FORCE ROLE = 4294967292 / inh. from user on chown
> only
> RC INITIAL ROLE = 4294967291 / user force_role (root
> default)
>
> I have a special ROLE 3 with type compatibility with
> TPYE 4 as follows
> CHDIR, CLOSE, CREATE, EXECUTE, GET_PERM_DATA,
> GET_STATUS_DATA, READ, READ_ATTR, READ_OPEN, SEARCH,
> MAP_EXEC
>
> Questions:
> 1. As role 3, I am able to do "vi type_3_file" in my
> special directory and write to it. Should this happen?
> /var/log/messages does complain as follows
> rc_role 3, rc_type 4 request is WRITE -> NOT_GRANTED
> request WRITE, prog_name vi, target_type DIR, Path
> /etc/myspecialdir
WRITE on a dir means that someone tries to move a file/dir there. vi seems to
create the file somewhere else and move it there as the first choice.
> "vi" somehow bypasses RC. Role 3's default create
> type is 3, and if I look closely, the newly created
> file ends up with a type 3.
The CREATE allows to create the file in a dir of type 4. The
default_fd_create_type makes the file get type 3, so the rights to type3
apply for OPEN, TRUNCATE, DELETE, etc.
> 2. If (as role 3) in the special directory I try
> "mv type_3_file new_type_3_file"
> this operation fails.
You have no WRITE right on the DIR, but you need it to move/rename the file.
The above log message corresponds to this.
> Anyone noticed similar things? Is "vi" a bad choice?
My standard editor joe works fine, if the edited file already
exists, but it would also create a new file with type 3.
> SCENARIO 2
> I have a script as follows (myscript)
> #!/bin/bash
> echo "hello"
>
> with the following
> RC_TYPE_FD = 3
> RC_FORCE_ROLE = 4294967293 /inherit parent directory
> RC_INITIAL_ROLE = 4294967293
>
> root's (role 2) compatibility with TYPE 3 are
> CHDIR, CLOSE, GET_PERMISSIONS_DATA, GET_STATUS_DATA,
> READ, READ_OPEN, SEARCH,
>
> Question:
> As root, this fails
> bash#./myscript
> bash# ./myscript: /bin/bash: bad interpreter:
> Operation not permitted
>
> but this works
> bash#bash myscript
> hello
>
> Can anyone else verify such behavior? Am I doing
> something wrong?
This is normal Linux / bash behaviour:
In the first case, you EXECUTE the file: sys_exec is called, the kernel
determines the bin format, starts the interpreter given in the file and runs
it. The interpreter will then READ_OPEN the file to interpret its contents.
So you need both EXECUTE and READ_OPEN as the starting role.
In the second case, you start bash and tell it to READ_OPEN the file and
interpret the contents. You only need READ_OPEN.
Even without RSBAC you must give Linux x right for ./myscript, but bash
myscript will work with r only.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list