[rsbac] Documentation needed

Javier Martínez tazok.id0 at gmail.com
Thu Jul 19 18:45:25 CEST 2007

Hi all in the mailing list, I think that one of the most important
problems that rsbac project has is the great lack of documentation and
examples that it has.

I Think that if we don't do something about this rsbac, it will only
be used by people with a lot of time to spend. However this is not the
case of end users because writting one security policy is at first
really hard and second takes a lot of time of investigation that many
one's couldn't do. The investigation could be done for example with
the RC module with the rsbac_debug_adf_all and softmode on and then do
a "learning and manual mode" of the rights needed in a base system,
taking them when done in the needed/planned roles. This is a real and
long work and not everyone wants to do this.

Personally I think we should discuss what we would need to document
and how to do this, I have and Auth policy generated with the
AUTH_learning mode and auth_back_cap, a CAP bogus one and I'm doing
the RC one by the method I commented before, creating later the
required roles and types to the policy planned itself. However
security analisys would be needed after that.

The most important question is How should we document this and where I
should send my "researches"?
I'm open to help with my investigation and my time. I think we should
cover this questions (between others):
-Mail_server policies
-Web_server policies
-DNS_server policies
-Implementation of a Trusted Path Execution
-Control Untrusted Python Scripts and Perl Scripts between others
interpreted ones to make TPE really secure.
Please add other questions like those of above you think we shoud talk
about and document.
Thanks for all and I wait that we could arrive somewhere.

PD: I have just send this mail from other mail address not the one
registered here in rsbac, I don't know even if it will get delivered,
sorry for the mistake to all and for the mailadmin...

More information about the rsbac mailing list