[rsbac] ROLE (System Boot) and MODIFY_ATTRIBUTE problems
sftf at yandex.ru
sftf at yandex.ru
Wed Mar 8 14:37:52 CET 2006
Hi!
In a init script mountfs I've added commands for setup proc virtual filesystem access:
acl_grant ROLE 999999 RW FD /proc
acl_grant ROLE 10 RW FD /proc/kmsg
where 999999 == System Boot ROLE and 10 == ROLE for syslog-ng.
This script executed with System Boot ROLE.
All works as well as it was supposed with this but...
ROLE System Boot has no MODIFY_ATTRIBUTE on General_FD type!
And nevertheless this script changes RSBAC ACL attributes somehow...
Even "clean" (with no rsbac.dat) system allows a System Boot role
to change these RSBAC attributes.
I think that without MODIFY_ATTRIBUTE, role should not have an
ability to change any RSBAC attributes.
System:
linux 2.6.15.1, RSBAC 1.3.0pre1,
system has no ROLE with MODIFY_ATTRIBUTE except Role_Admin,
all files has General_FD type,
ACL FD :DEFAULT: for USER_0 (root) has no MODIFY_ATTRIBUTE,
ACL FD :DEFAULT: has no entry for ROLE_999999 (System Boot).
Active modules: UM,ACL,RC,CAP.
Thanks a lot!
--
Best regards,
sftf mailto:sftf at yandex.ru
More information about the rsbac
mailing list