[rsbac] preserving permissions on upgrade
ao at rsbac.org
Mon Jul 10 10:11:10 CEST 2006
On Montag 10 Juli 2006 09:42, Artem Gr wrote:
> I've heard, that RSBAC uses the inode number to bind, say, RC Role
> RC Type to a file.
> Is it so?
Yes, this is true. The inode number is the only reliable
identification of a file system object.
> Does it mean, that when upgrading, say, "syslogd", it's RC Role will
> lost and it will no longer be able to write RC-protected log files?
This is correct. Your update procedure must make sure that all
settings get reapplied correctly after updating.
> that when i've protected a single log file, like
> after rotating logs the new file will be left unprotected (unless
> log rotating software uses a copy+truncate semantics)?
It is correct that the new file gets default settings at creation
time. However, you can influence the types of new filesystem objects
with def_fd_create_type and def_fd_ind_create_type of your
Also, you can give /var/log a protected type, so that new files by
default are unaccessible or append-only.
The important point here is that RSBAC distinguishes several different
types of write access. E.g. you might be able to append to a file,
but not to truncate or read or write somewhere else. You might also
be able to rename files and create new ones, so that you can rotate
logs, but you still cannot read, modify or delete them.
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac