[rsbac] preserving permissions on upgrade

Amon Ott ao at rsbac.org
Mon Jul 10 10:11:10 CEST 2006


On Montag 10 Juli 2006 09:42, Artem Gr wrote:
> I've heard, that RSBAC uses the inode number to bind, say, RC Role 
and 
> RC Type to a file.
> Is it so?

Yes, this is true. The inode number is the only reliable 
identification of a file system object.

> Does it mean, that when upgrading, say, "syslogd", it's RC Role will 
be 
> lost and it will no longer be able to write RC-protected log files? 

This is correct. Your update procedure must make sure that all 
settings get reapplied correctly after updating.

> Or  
> that when i've protected a single log file, like 
"/var/log/kern.log", 
> after rotating logs the new file will be left unprotected (unless 
the 
> log rotating software uses a copy+truncate semantics)?

It is correct that the new file gets default settings at creation 
time. However, you can influence the types of new filesystem objects 
with def_fd_create_type and def_fd_ind_create_type of your 
logrotation role.

Also, you can give /var/log a protected type, so that new files by 
default are unaccessible or append-only.

The important point here is that RSBAC distinguishes several different 
types of write access. E.g. you might be able to append to a file, 
but not to truncate or read or write somewhere else. You might also 
be able to rename files and create new ones, so that you can rotate 
logs, but you still cannot read, modify or delete them.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22


More information about the rsbac mailing list