[rsbac] Role to Type compatibility questions

Chirag Pandya searchformehere at yahoo.com
Thu Oct 16 07:55:16 MEST 2003


Hello All

--- Amon Ott <ao at rsbac.org> wrote:
> > SCENARIO 1
> > I have a special directory with the following
> settings
> > "/etc/myspecialdir"
> > RC TYPE FD = 4 
> > RC FORCE ROLE = 4294967292 / inh. from user on
> chown
> > only
> > RC INITIAL ROLE = 4294967291 / user force_role
> (root
> > default)
> > 
> > I have a special ROLE 3 with type compatibility
> with
> > TPYE 4 as follows
> > CHDIR, CLOSE, CREATE, EXECUTE, GET_PERM_DATA,
> > GET_STATUS_DATA, READ, READ_ATTR, READ_OPEN,
> SEARCH,
> > MAP_EXEC
> > 
> > Questions:
> > 1.  As role 3, I am able to do "vi type_3_file" in
> my
> > special directory and write to it. Should this
> happen?
> > /var/log/messages does complain as follows
> > rc_role 3, rc_type 4 request is WRITE ->
> NOT_GRANTED
> > request WRITE, prog_name vi, target_type DIR, Path
> > /etc/myspecialdir
> 
> WRITE on a dir means that someone tries to move a
> file/dir there. vi seems to 
> create the file somewhere else and move it there as
> the first choice.
>  
> > "vi" somehow bypasses RC.  Role 3's default create
> > type is 3, and if I look closely, the newly
> created
> > file ends up with a type 3.
> 
> The CREATE allows to create the file in a dir of
> type 4. The 
> default_fd_create_type makes the file get type 3, so
> the rights to type3 
> apply for OPEN, TRUNCATE, DELETE, etc.
>  
> > 2.  If (as role 3) in the special directory I try 
> > "mv type_3_file new_type_3_file"
> > this operation fails.
> 
> You have no WRITE right on the DIR, but you need it
> to move/rename the file. 
> The above log message corresponds to this.
>  
> > Anyone noticed similar things?  Is "vi" a bad
> choice?
 
> My standard editor joe works fine, if the edited
> file already 
> exists, but it would also create a new file with
> type 3.

Ok thanks.  Yes I was trying to debug a problem where
I attempted "cp" and "mv" operations in a special
multi-level tmp directory.  I was expecting MAC
errrors.  
When they failed due to RC, I dug into the directory
further and attempted "vi" where I ran into the
problem.  I'll change the compatibilities further +
assign proper types to my MLD's and see if I make
progress.

>  
> > SCENARIO 2
> > I have a script as follows (myscript) 
> > #!/bin/bash
> > echo "hello"
> > 
> > with the following
> > RC_TYPE_FD = 3
> > RC_FORCE_ROLE = 4294967293 /inherit parent
> directory
> > RC_INITIAL_ROLE = 4294967293
> > 
> > root's (role 2) compatibility with TYPE 3 are
> > CHDIR, CLOSE, GET_PERMISSIONS_DATA,
> GET_STATUS_DATA,
> > READ, READ_OPEN, SEARCH, 
> > 
> > Question:
> > As root, this fails
> > bash#./myscript
> > bash# ./myscript: /bin/bash: bad interpreter:
> > Operation not permitted
> > 
> > but this works
> > bash#bash myscript
> > hello
> > 
> > Can anyone else verify such behavior?  Am I doing
> > something wrong?
> 
> This is normal Linux / bash behaviour:
> 
> In the first case, you EXECUTE the file: sys_exec is
> called, the kernel 
> determines the bin format, starts the interpreter
> given in the file and runs 
> it. The interpreter will then READ_OPEN the file to
> interpret its contents. 
> So you need both EXECUTE and READ_OPEN as the
> starting role.
> 
> In the second case, you start bash and tell it to
> READ_OPEN the file and 
> interpret the contents. You only need READ_OPEN.
> 
> Even without RSBAC you must give Linux x right for
> ./myscript, but bash 
> myscript will work with r only.

Thanks Amon!  Very useful to know. 
I'll change my compatibilities accordingly.  I don't
want to root to be able to execute my special scripts
in any way.

BTW on the LSM issue, Amon wrote:
> Also, AFAIK,the solution now integrated includes US
> patented security models, which could at any time 
> be activated to earn a lot of money after selling 
> the patents.

This is what is keeping me away from the learning
about "other" product.  I doubt that I'll turn on any
of the features even if it makes it into the regular
linux kernel.  I'd rather rely and depend on RSBAC for
my security.


I'll write back if I run into more issues :-)
Regards
--Chirag




__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com


More information about the rsbac mailing list