[rsbac] RC type/role ASSIGN right for meta-roles

Amon Ott ao at rsbac.org
Sat Jul 16 09:17:15 CEST 2005 

On Freitag 15 Juli 2005 16:51, Rafal Bisingier wrote:
> On Thu, Jul 14, 2005 at 05:26:40PM +0200, Amon Ott wrote:
> > On Donnerstag 14 Juli 2005 16:21, Amon Ott wrote:
> > > On Donnerstag 14 Juli 2005 16:08, Rafal Bisingier wrote:
> > > > I wanted to write that I found another bug in rsbac-admin 
tools, 
> > but
> > > > remembering last my "problem" solution ;-) I'll just ask 
instead:
> > > > Is there a way to grant a role which is not AdminType a 
> > > MODIFY_ATTRIBUTE
> > > > right to meta-roles used for default FD force/init roles
> > > > (inherit_parent, inherit_user, inherit_process, mix_inherit, 
> > > use_force)?
> > > > To make it clear: I need a way to get some role a right needed 
to 
> > > change 
> > > > 	rc_force_role (from: -1 = inherit_user, -2 = inherit_process,
> > > > 		-3 = inherit_parent, -4 = inherit_user_on_chown_only)
> > > > 	rc_initial_role (from: -3 = inherit_parent, -5 = 
use_force_role)
> > > > to anything else.
> > > > Currently I use a workaround: I've changed rc_force_role of 
parent 
> > > dir
> > > > to some role for which my role have MODIFY_ATTRIBUTE right.
> > > 
> > > Sorry, there is no way yet to allow this. Probably all we would 
need 
> > > is a way to include these special roles into the list of 
> > > assign_roles, which is a rather small change. I will think about 
it.
> > 
> > Actually, the only check was in rc_set_item. The attached patch 
> > disables this check, so you can try with special roles in 
> > assign_roles.
> 
> This one doesn't work. It still needs MODIFY_ATTRIBUTE for old/new 
(?)
> rc_force_role to change it. I'm not sure which one exactly, because
> log message are here not clear, it says that I need this right for
> the new role, but I thought for any other non-special role it needs
> this right for the old role)

You need MODIFY_ATTRIBUTE to the type of the filesystem object. This 
is to make sure that you do not assign the force or initial role to 
any file or dir you like.
 
> BTW I found one more problem with RSBAC exclusive UM related to 
admin tools.
> Home dir path of my users is quite long, but when I create a user it 
is
> shortened to exactly 20 characters. This happens only on creating 
user with
> rsbac_useradd. When I then use rsbac_usermod to later change homedir 
to
> desired path it is set correctly.

Right, I saw and corrected this bug in 1.2.5-pre. Patch is attached, 
1.2.4 svn has been updated.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde abgetrennt...
Dateiname   : rsbac_useradd.c.diff
Dateityp    : text/x-diff
Dateigr??e  : 956 bytes
Beschreibung: nicht verf?gbar
URL         : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050716/ae191d32/rsbac_useradd.c.bin

More information about the rsbac mailing list