[rsbac] rc-role

tazok tazok.id0 at gmail.com
Mon Aug 28 19:37:50 CEST 2006

2006/8/28, jens <jens at igraltist.dyndns.org>:
> hi,
> i had done some test, and it was to set an all main directorys and files a
> rc-type. then after this i setup for all  binaries in /bin /sbin /user/bin
> and /usr/sbin a initial- and force-role.
> when my setup was finish i turn off softmode global. then i login and can do
> with the root-uer wich has the rc-role 2 all like before.
> the rc-role 2 has no create rights, and also not other rights for the rc-type
> on /var, but was able to do mkdir on it.
> i also can build a kernel and get no entry in the security-log.
> bevor when i only have used the rc-types, the rc-role 2 can not go
> to /usr/src.
> igraltist
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
Well, probably is problem about the rc_forced role or the initial_role
one. I would need some more information. Which forced_role has you
granted to the binaries and which initial_roles.
Probably the effective one would be the initial_role one and not the
root user role. The transition would be as you can see here:

This is what would happened:
Login prompt (rc_initial role of login)
If login success then checked the rc_forced_role value
If rc_forced_role == mixed_up_option then
rc_role changed to the user id role (root in this case, 2)
If binary is executed then:
gets rc_initial_role from binary.
Variants: Inherited from parent user, then it doesn't change, continue
with role 2
                 New initial role assigned, then change to this (role
2 has no effect)
                 In case of SETUID change to rc_forced role of the
binary, independent of the value of the rc_initial_role.

This is a resume, depending of you have in the sections rc_forced_role
and the rc_initial_role in the login binaries and in the binary you
launch. Post them and we could see it better.

More information about the rsbac mailing list