[rsbac] RC type/role ASSIGN right for meta-roles
ravbc at man.poznan.pl
Fri Jul 15 16:51:39 CEST 2005
On Thu, Jul 14, 2005 at 05:26:40PM +0200, Amon Ott wrote:
> On Donnerstag 14 Juli 2005 16:21, Amon Ott wrote:
> > On Donnerstag 14 Juli 2005 16:08, Rafal Bisingier wrote:
> > > I wanted to write that I found another bug in rsbac-admin tools,
> > > remembering last my "problem" solution ;-) I'll just ask instead:
> > > Is there a way to grant a role which is not AdminType a
> > MODIFY_ATTRIBUTE
> > > right to meta-roles used for default FD force/init roles
> > > (inherit_parent, inherit_user, inherit_process, mix_inherit,
> > use_force)?
> > > To make it clear: I need a way to get some role a right needed to
> > change
> > > rc_force_role (from: -1 = inherit_user, -2 = inherit_process,
> > > -3 = inherit_parent, -4 = inherit_user_on_chown_only)
> > > rc_initial_role (from: -3 = inherit_parent, -5 = use_force_role)
> > > to anything else.
> > > Currently I use a workaround: I've changed rc_force_role of parent
> > dir
> > > to some role for which my role have MODIFY_ATTRIBUTE right.
> > Sorry, there is no way yet to allow this. Probably all we would need
> > is a way to include these special roles into the list of
> > assign_roles, which is a rather small change. I will think about it.
> Actually, the only check was in rc_set_item. The attached patch
> disables this check, so you can try with special roles in
This one doesn't work. It still needs MODIFY_ATTRIBUTE for old/new (?)
rc_force_role to change it. I'm not sure which one exactly, because
log message are here not clear, it says that I need this right for
the new role, but I thought for any other non-special role it needs
this right for the old role)
BTW I found one more problem with RSBAC exclusive UM related to admin tools.
Home dir path of my users is quite long, but when I create a user it is
shortened to exactly 20 characters. This happens only on creating user with
rsbac_useradd. When I then use rsbac_usermod to later change homedir to
desired path it is set correctly.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050715/059e7350/attachment.bin
More information about the rsbac