[rsbac] FF and inheritance

Amon Ott ao at rsbac.org
Fri Sep 3 22:31:04 CEST 2004

On Donnerstag, 9. September 2004 15:38 quoth Andrea Pasquinucci:
> I never used before the FF module and I am confused about inheritance.
> In various docs it says that it is easy to set /etc read_only and
> /etc/mtab read+write but ... as far as I understand if /etc is
> read_only and there are no flags on /etc/mtab, then /etc/mtab inherits
> the ones of /etc and is then read_only. The only way out it seems to me
> to set the flag no_execute on /etc/mtab, with which everything will be
> allowed on /etc/mtab except for EXEC. Am I right ?

Remove add_inherited on /etc/mtab, and the read_only will no longer be 
inherited from /etc.

> Related question, if I set /etc read_only with FF, can I use another
> model (RC, ACL) to declare /etc/onefile to be writable by user/process X ?

If one module denies access, it is denied. So no, you cannot grant write 
access with RC or ACL, if FF does not.


More information about the rsbac mailing list