[rsbac] dynamic created devices
Amon Ott
ao at rsbac.org
Tue Mar 29 09:54:51 CEST 2005
On Sonntag 27 März 2005 11:26, murf wrote:
> I have an example of problematic part of configuration in
rsbac-1.2.4.
>
> Problematic part is defining RC restriction on dynamic created
> pseudo-terminals slaves under /dev/pts according Unix98 pty naming.
> (we get descriptors pairs after opening /dev/ptmx).
Agreed, this is a problem.
> Some subjects (daemons working with pseudo terminals e.g. sshd)
would like to
> READ_WRITE access to theese dynamic created devices (on target DEV
not FD).
> But they are created as 0 rc_type of target DEV.
Dynamic devices...
> Here it is. We cannot allow READ_WRITE to rc_type 0 of target DEV,
because its
> default type for all devices.
>
> There are theese possibilities come to my mind:
>
> 1) manage the subject (in following named s_cre), which theese
devices create to create
> it with special rc dev type. But Its not possible in rsbac (there is
only default rc fd type creation).
> If its possible there is also some other problems, like that s_cre
is in most probability
> run under root. So it would have to be default dev created type for
user root role.
> (e.g. udevd process in userland for 2.6.11 kernels)
We could introduce a def_dev_create_type for roles. The user root does
not matter, it is the current process role. I would have to look into
this to see how exactly the new devices get created - the special
file has no meaning in RSBAC, it is the type-major-minor combo.
> 2) change rc type of all devices to another type and next set policy
to default created type
> more benevolent. But Its not possible, because of dynamic created
devices
> (today by udevd in most cases).
No solution.
> 3) use another policy module like ACL. So one module allow mentioned
access (RC)
> and another dissallow (ACL). Its not elegant. Its only workaround
and its not usable for users
> who dont want to use another module just for theese states.
I cannot see how this is supposed to work better - ACL uses the same
identification as RC.
> 4) we can define access on directory for target DEV (devices
inherited this setting
> from the parent dir). Its is the most elegant, but its not
implemented in RSBAC.
> Feature request? Please comment this, if its possible.
As said above, device special files have no meaning for RSBAC, it is
the type-major-minor combo that counts. So there is no parent to use.
However, we could set default attribute values for a complete major
number. This should help a lot in this case. For RC I also like the
idea of def_dev_create_type, it also fits well into the model.
The to-do list contains an item "Let process choose RC type of new
item". We could use this and make the daemon choose, but I do not
like that idea.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde abgetrennt...
Dateiname : nicht verf?gbar
Dateityp : application/pgp-signature
Dateigr??e : 189 bytes
Beschreibung: nicht verf?gbar
URL : http://www.rsbac.org/pipermail/rsbac/attachments/20050329/ab14b37f/attachment.bin
More information about the rsbac
mailing list