[rsbac] CAP learning mode and RC learning mode

Javier J. Martínez Cabezón tazok.id0 at gmail.com
Thu Oct 1 03:21:48 CEST 2009

It's complicated to do a standard policy, you have a lot of sysvinit
To do what do you want to do, have you thought in mark
/etc/init.d/whatever_script with an initial role?, I think they got
executed so it will inherit the role you put there and you have the
advantage that if it get's "chowned" later (in a privilege dropping
for example) it could change to the new role. You could forbid the
execution by forbidding the execution of the implicated binary to only
the launcher script sole. So, init executes the script
--service_role--script_execute_binary--if not_service_role -->
execution forbidden-->if_role_correct-->execution_of_binary_with_role_inheritance-->if_chown-->change_to_new_role

2009/9/30 Jens Kasten <igraltist en rsbac.org>:
> nice feature,
> when this is in action then the policies creation tool get a high
> priority.
> for example, i try this: set role on /sbin/init now mostly would run
> under this role and bootrole is only for starting.
> then every service and have to a role, otherwise the program have to
> reject the start.
> than a default policy setup should exists also to apply a tested setup.
> grüße
> jens

More information about the rsbac mailing list