[rsbac] CAP learning mode and RC learning mode

[Amon Ott]

On Tuesday 29 September 2009 wrote Amon Ott:
> On Tuesday 29 September 2009 wrote Javier J. Martínez Cabezón:
> > Hi amon, thanks for your answer and thanks for CAP learning mode, in
> > RC learning mode users should take it just as a starting point after
> > analize their system and setting the necessary roles and types and we
> > could advice it, RC learning mode will add necessary rights to the new
> > created role to the necessary types (it will save a lot of time of
> > review logs looking for DENIED AEF answers). We could add an advise to
> > the user to be careful with the policies generated at this way.
>
> Just had the idea that RC learning mode could be enabled per role, so you
> will only mess up single roles. E.g. create a new role and let it learn the
> rights to your existing types.

Current svn now also contains a simple, global RC learning mode. Kernel 
parameter rsbac_rc_learn will set all missing rights of all existing roles to 
types.

Of course, all learning modes are strictly optional, disabled in kernel config 
by default and turned off by default.

Learning mode per role is planned, but needs a new on-disk version of the role 
list, so there is no way back to a previous RSBAC version. This means that it 
probably goes into a new RSBAC 1.5 only. Alternatively, we could split the 
role list into two, adding some small overhead if learning is enabled and 
adding a set of extra functions to access the new list.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22