[rsbac] secoff readonly DAC disabling
Andrea Pasquinucci
cesare at ucci.it
Thu Sep 21 14:14:24 CEST 2006
I do not know if this is a good/secure idea, but in some cases it would
be very useful to me.
What about having the possibility only for secoff (uid=400) to have
readonly access to all the filesystem, overriding DAC access control?
This could be a compilation or boot parameter.
The (obvious) problem I face is that DAC control prevents secoff to
reach some files, i.e. read the inode number, and so it is not possible
to set the RSBAC rules. I imagine that the readonly capability of secoff
could be limited to directories only, and without the listing (like only
+x in DAC).
I know that I could get something similar using the RSBAC ACL, but I do
not use it. Thanks,
Andrea
PS. Let me know if ti can be done othwerwise.
--
Andrea Pasquinucci cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F CCBB CB51 2983 6494 0DA2
More information about the rsbac
mailing list