[rsbac] FF and inheritance
Chirag Pandya
cpandya at gmail.com
Thu Sep 9 18:10:30 CEST 2004
On Thu, 9 Sep 2004 15:38:48 +0200, Andrea Pasquinucci <cesare at ucci.it> wrote:
> Hi,
>
> I never used before the FF module and I am confused about inheritance.
> In various docs it says that it is easy to set /etc read_only and
> /etc/mtab read+write but ... as far as I understand if /etc is
> read_only and there are no flags on /etc/mtab, then /etc/mtab inherits
> the ones of /etc and is then read_only. The only way out it seems to me
> to set the flag no_execute on /etc/mtab, with which everything will be
> allowed on /etc/mtab except for EXEC. Am I right ?
Did you try
attr_set_file_dir FF DIR "/etc" ff_flags 1
attr_set_file_dir FF FILE "/etc/mtab" ff_flags 9
Now /etc/mtab is read, write and /etc is read only
>
> Related question, if I set /etc read_only with FF, can I use another
> model (RC, ACL) to declare /etc/onefile to be writable by user/process X ?
You could use
attr_set_file_dir FF DIR "/etc" ff_flags 1
attr_set_file_dir FF FILE "/etc/onefile" ff_flags 0
Now protect "onefile" using another model.
Hope this helps
Chirag
More information about the rsbac
mailing list