[rsbac] CAP learning mode and RC learning mode

Amon Ott ao at rsbac.org
Tue Oct 6 08:49:13 CEST 2009


On Wednesday 30 September 2009 wrote Amon Ott:
> On Tuesday 29 September 2009 wrote Amon Ott:
> > On Tuesday 29 September 2009 wrote Javier J. Martínez Cabezón:
> > > Hi amon, thanks for your answer and thanks for CAP learning mode, in
> > > RC learning mode users should take it just as a starting point after
> > > analize their system and setting the necessary roles and types and we
> > > could advice it, RC learning mode will add necessary rights to the new
> > > created role to the necessary types (it will save a lot of time of
> > > review logs looking for DENIED AEF answers). We could add an advise to
> > > the user to be careful with the policies generated at this way.
> >
> > Just had the idea that RC learning mode could be enabled per role, so you
> > will only mess up single roles. E.g. create a new role and let it learn
> > the rights to your existing types.
>
> Current svn now also contains a simple, global RC learning mode. Kernel
> parameter rsbac_rc_learn will set all missing rights of all existing roles
> to types.

All module learning modes can now optionally learn into a transaction, which 
is created with maximum lifetime when needed. If that transaction is not 
committed before it times out, everything stays unchanged.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22


More information about the rsbac mailing list