[rsbac] Missing CAPs are not logged

Amon Ott ao at rsbac.org
Fri Jan 21 09:13:43 CET 2005

On Donnerstag 20 Januar 2005 20:01, Andrea Pasquinucci wrote:
> On Thu, Jan 20, 2005 at 09:27:37AM +0100, Amon Ott wrote:
> * On each setuid and execute, the CAP module sets the given minimum 
> * and removes those not in the maximum set. 
> Let me see if I understand correctly, the minimum capabilities are 
> if the process does not have them (but usually caps_min is all 0) 
> the maximum capabilities not in the set are removed if the process 
> them (but usually caps_max is all 1), right ?

Right. If have also made this more clear in the CAP module description 
at http://rsbac.org/documentation/models.php#cap

> * In softmode, the CAP module only enforces the minimum
> So it adds them even in softmode

Yes. In softmode you shall get the access you need, so you do get it.
> * but not the maximum values 
> so it does not remove them (correctly for softmode!), but my 
question is
> if in softmode it logs or not that it (rsbac) should have removed 
> capability and did not, does it? From what you say next it seems 
> can it be added in case?

This is a very good idea. I will add an explicit warning for these 
cases. Just put it into the v1.2.4 to-do list.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname   : nicht verf?gbar
Dateityp    : application/pgp-signature
Dateigr??e  : 189 bytes
Beschreibung: nicht verf?gbar
URL         : http://www.rsbac.org/pipermail/rsbac/attachments/20050121/1135c63e/attachment.bin

More information about the rsbac mailing list