[rsbac] Role transitions,

tazok tazok.id0 at gmail.com
Wed Apr 25 21:37:13 CEST 2007

Hi, and sorry for the duplicate.
I'm trying to do something like this:

If the type of the FD is not trusted_script then deny the READ_OPEN request
grant the READ_OPEN request
change to the user-role
make the action.

First I thought in assign the perl binary (for example) an rc_initial
role "perl_role" and grant him the read_open privilege only to the
trusted_script type, this works ok, the problem is that after this
check I'm interested in make perl to change to the user role that
execute the script to avoid make perl a wrapper.

First I thought in this:
attr_set_file_dir FILE "/usr/bin/perl5.8.8" rc_initial_role 4
attr_set_file_dir FILE "/usr/bin/perl5.8.8" rc_force_role -1
attr_set_file_dir FILE "/usr/bin/python2.4" rc_initial_role 5
attr_set_file_dir FILE "/usr/bin/python2.4" rc_force_role -1

but as you can suppose this makes perl run in role 4, do the check and
launch the perl script with this role (and his privileges, not the
user ones), the problem in this configuration is that the
rc_forced_role does not apply if there is not a change_owner or an
execute call which could make it change (as far as I know).

I thought in the compatible role option but until I understood it
should be used through a system call,

Do you know one way to do this kind of transition properly¿?

2007/4/25, tazok <tazok.id0 en gmail.com>:

More information about the rsbac mailing list