[rsbac] secoff readonly DAC disabling

Andrea Pasquinucci cesare at ucci.it
Thu Sep 21 14:14:24 CEST 2006

I do not know if this is a good/secure idea, but in some cases it would 
be very useful to me.

What about having the possibility only for secoff (uid=400) to have 
readonly access to all the filesystem, overriding DAC access control? 
This could be a compilation or boot parameter. 

The (obvious) problem I face is that DAC control prevents secoff to 
reach some files, i.e. read the inode number, and so it is not possible 
to set the RSBAC rules. I imagine that the readonly capability of secoff 
could be limited to directories only, and without the listing (like only 
+x in DAC).

I know that I could get something similar using the RSBAC ACL, but I do 
not use it. Thanks,


PS. Let me know if ti can be done othwerwise.

Andrea Pasquinucci                     cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F  CCBB CB51 2983 6494 0DA2

More information about the rsbac mailing list