[rsbac] FF: Some questions

Nico Manicone nico.manicone at gmx.de
Mon Sep 20 00:20:55 CEST 2004


Hello and thank you for your answer,

1.
 >>2. I have troubles understanding the usage of "search_only" and
 >>"no_mount". The meaning is obvious, but in which scenarios should

 > no_mount protects e.g. /etc from a mount, which would replace all
 > config files with the attacker's files.

Is this a probable attack scenario? Why should an attacker not simply 
change one or more config files with an editor?

How would i use "no_mount"? Simply use it on "/"? If i use the flag on 
"/", will it be enough for the complete file system or must i use 
inheriting for the deeper directory nodes?

Due to the fact that RSBAC checks only inodes, i would assume that 
inheriting is necessary.

2.
>>the results i found:

>>read_only	read, delete, execute possible		
>>excute_only	only execute allowed
>>search_only	read, delete, execute possible
>>write_only	only write allowed

These results are from a Adamantix 1.04 system with a softmode kernel 
and RSBAC 1.2.2.

> Certainly not, and I cannot reproduce it here. Can you provide more 
> info? Do you get a syslog entry?

My problem is that i can't reproduce them either. :-( If i simply switch 
the softmode off with "echo debug_softmode_0 > /proc/rsbac-info/debug", 
i get the normal behaviour.

The cited results occured after i tried several different ways to switch 
the softmode off. First i used the entry "global softmode" in rsbac_manu 
to turn softmode on or off, but to no avail. After that i toggled the 
softmode on module basis, but this didn't help either. Finaly i used 
"echo debug_softmode_0". And then i got these results.

Regards,
Nico.


More information about the rsbac mailing list