[rsbac] rc-role

jens jens at igraltist.dyndns.org
Tue Aug 29 02:26:52 CEST 2006 

i cannot post it because i reinstall the server.
i have a 40 gig harddrive and now i have 28 gig for the logfile.
before i had only 1 gig. 
i did not set it up from hand. i have a small program wich read the logfile 
and then apply this, what he is find.
the first test show me it can be work. so i do the next test and hope iam 
better  prepear. then also the program must  write to a file what is setup, 
so that i can see later what was done.
this i can post than.
i think tomorrow evening mayby i have it ready.

Am Montag, 28. August 2006 19:37 schrieb tazok:
> 2006/8/28, jens <jens at igraltist.dyndns.org>:
> > hi,
> > i had done some test, and it was to set an all main directorys and files
> > a rc-type. then after this i setup for all  binaries in /bin /sbin
> > /user/bin and /usr/sbin a initial- and force-role.
> > when my setup was finish i turn off softmode global. then i login and can
> > do with the root-uer wich has the rc-role 2 all like before.
> > the rc-role 2 has no create rights, and also not other rights for the
> > rc-type on /var, but was able to do mkdir on it.
> > i also can build a kernel and get no entry in the security-log.
> > bevor when i only have used the rc-types, the rc-role 2 can not go
> > to /usr/src.
> >
> > igraltist
> >
> >
> >
> > _______________________________________________
> > rsbac mailing list
> > rsbac at rsbac.org
> > http://www.rsbac.org/mailman/listinfo/rsbac
>
> Well, probably is problem about the rc_forced role or the initial_role
> one. I would need some more information. Which forced_role has you
> granted to the binaries and which initial_roles.
> Probably the effective one would be the initial_role one and not the
> root user role. The transition would be as you can see here:
>
> This is what would happened:
> Login prompt (rc_initial role of login)
> If login success then checked the rc_forced_role value
> If rc_forced_role == mixed_up_option then
> rc_role changed to the user id role (root in this case, 2)
> If binary is executed then:
> gets rc_initial_role from binary.
> Variants: Inherited from parent user, then it doesn't change, continue
> with role 2
>                  New initial role assigned, then change to this (role
> 2 has no effect)
>                  In case of SETUID change to rc_forced role of the
> binary, independent of the value of the rc_initial_role.
>
>
> This is a resume, depending of you have in the sections rc_forced_role
> and the rc_initial_role in the login binaries and in the binary you
> launch. Post them and we could see it better.
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list