[rsbac] Re: [OBORONA-SPAM] rc type for /proc

Amon Ott ao at rsbac.org
Mon May 24 12:52:44 CEST 2004


On Samstag, 22. Mai 2004 14:30, Thomas Mueller wrote:
> On Sat, 22 May 2004 12:02:20 +0200 Michal Purzynski wrote:
> 
> >>   ACLs on /proc disappear after reboot too... I do not see 
decisions...
> >> 
> >> TM> I've set a rc type for fd /proc, but after every reboot /proc is 
set to
> >> TM> the default. Is there anything special?
> > 
> > yes, there is. /proc filesystem is `virtual`, in these way, that it 
does
> > not exits physicaly on disk, only in memory. so assigning rc type to
> > /proc filesystem need to be done from the kernel.
> 
> I understand why I can't set different types for files below /proc/
> (because they are virtual and have no inode).
> /proc/ is a directory with an inode on my hd, so I should be able to set 
a
> rc type (and the type should be remembered after reboots because the
> inode doesn't change) ?

The moint point /proc on your root partition is a dir, which can get 
attributes assigned. As soon as you mount proc fs there, /proc becomes the 
root dir of a vitual fs on which no attributes can be stored.

> Every file below /proc/ gets the default 'inherit parent dir' and should
> get the type of /proc/ because of that?
> 
> What's the solution for that problem? I use devfs so it's the same for
> /dev/. Do I have to leave /proc and /dev with rc type 'inherit parent 
dir'
> ? So if a role wants to read in /proc I always have to give read access 
to
> /, /proc and /dev ?

I have startup scripts, which set all attributes for the virtual 
filessystems at boot time. If you have such a script, protect it from 
deletion and give it a proper RC initial or force role, it can all work 
well.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22


More information about the rsbac mailing list