[rsbac] weird question...

Andrea Pasquinucci cesare at ucci.it
Tue Sep 6 15:18:11 CEST 2005


I have various questions to ask in this and following messages. I start 
from the most difficult. I would like to have a directory where:

- one particular Role can create files and write in them
- once created and written the first time, the file cannot be modified
  by anyone
- the same Role is able to change the atime and mtime (and ctime) of all 
  files in this directory

A simple 'almost' solution is obvious, create the directory with 
APPEND_ONLY, but this misses the point. After the first 'close' I would 
like not to be possible to modify or append to the file, i.e. immutable. 
And I cannot ask secoff to change the attribute of the file, since I am 
running in FREEZE mode. 

I cannot use a write-only HW device, since I need to change the 
timestamps of the files after they have been written.

I have tried to play a little bit with direct IO and RSBAC, but it seems 
to me that there is no way out: the best I managed was to call open 
with O_WRONLY|O_CREAT|O_EXCL but of course this does a CREATE (ok with 
me) but then also a WRITE_OPEN which I cannot allow on the file 
generically, but only the first time.

Any suggestion? Or should I content myself with APPEND_ONLY and manage 
at user level if something is written to the files which should have 
not?

Thanks, Andrea

--
Andrea Pasquinucci                     cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F  CCBB CB51 2983 6494 0DA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050906/26f6a909/attachment.bin


More information about the rsbac mailing list