[rsbac] About SCD T_swap.
Javier J. Martínez Cabezón
tazok.id0 at gmail.com
Mon Jan 12 18:00:12 CET 2009
One more thing, maybe to check this is useless since I think it should
be granted to all, but if this is right in the request list MAP_EXEC
should be removed to be and SCD request.
2009/1/12 Javier J. Martínez Cabezón <tazok.id0 en gmail.com>:
> PD: I'm seeing the 1.3.7 rsbac version...
>
> 2009/1/12 Javier J. Martínez Cabezón <tazok.id0 en gmail.com>:
>> In rc_main.c you have for example that all requests made to MAP_EXEC
>> that doesn't be FILE get a DON'T CARE answer I'm right thinking that
>> if you make a MAP_EXEC call to a TARGET NONE (which should go to SCD
>> other) it get's not checked at all?
>>
>> 2009/1/12 Amon Ott <ao en rsbac.org>:
>>> Am Sünndag 11 Januor 2009 schrieb Javier J. Martínez Cabezón:
>>>> Hi all, while looking some code of 1.3.7 rsbac version (swapfile.c)
>>>> when you add one partition/file with swapon and swapoff it only checks
>>>> that you own the capability CAP_SYS_ADMIN and if you have
>>>> MODIFY_SYSTEM_DATA in SCD_swap and ADD_TO_KERNEL rights in the
>>>> file/device to add. ADD_TO_KERNEL (and REMOVE_TO_KERNEL) to SCD_swap
>>>> is ignored isn't it?. I'm wrong thinking that the only right useful in
>>>> SCD type swap is MODIFY_SYSTEM_DATA?. I think that some others SCD has
>>>> the same isn't it?
>>>
>>> Most SCD targets only have checks for GET_STATUS_DATA (read) and
>>> MODIFY_SYSTEM_DATA (write settings). The special case is SCD other, which is
>>> used by some models (RC, ACL) to control access to NONE targets.
>>>
>>> Amon.
>>> --
>>> http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
>>> _______________________________________________
>>> rsbac mailing list
>>> rsbac en rsbac.org
>>> http://www.rsbac.org/mailman/listinfo/rsbac
>>>
>>
>
More information about the rsbac
mailing list