[rsbac] Log access control with RC question
Hatas, Zdenek
zdenek_hatas at hp.com
Wed Jul 14 10:35:22 CEST 2004
Hi,
My goal is to cut the objects into different sets (logs, system
binaries, configs ...),
define roles and types with RC model and allow access to this sets for
users.
Could you tell me, if it's possible to separate these sets (for example
logs) with their own type and
allow the only specific roles (system, daemons, but no users) to access
it?
I did following test:
defined role "Restricted User"
defined type "Logs"
set "Log" type to FD /var/log and role "Restricted User" to my testuser
(role "Restricted User" has no access to "Log" type).
1. when testuser logged in, login process tried to access logs with
testuser's UID
2. when testuser logged off, init and getty tried to access logs with
testuser's UID
So, I think, it's quite difficult (is that ever possible?) to setup,
because binaries like login access wtmp and other log files with UID of
the user (RSBAC log says that).
Anyone could gimme a hint?
Zdenek
More information about the rsbac
mailing list