[rsbac] CAP learning mode and RC learning mode

Jens Kasten igraltist at rsbac.org
Wed Sep 30 12:31:08 CEST 2009 

nice feature,
when this is in action then the policies creation tool get a high
priority.
for example, i try this: set role on /sbin/init now mostly would run
under this role and bootrole is only for starting.
then every service and have to a role, otherwise the program have to
reject the start.
than a default policy setup should exists also to apply a tested setup.

grüße
jens

Am Mittwoch, den 30.09.2009, 12:19 +0200 schrieb Michał Purzyński:
> Definitely i can see the RC learning mode per role as 1.5 feature.  
> Maybe one of the best :)
> There's quite much to learn and to think about in the design process  
> to make it both useful and secure.
> 
> Sent from my iPhone
> 
> On Sep 30, 2009, at 11:00 AM, Amon Ott <ao at rsbac.org> wrote:
> 
> > On Tuesday 29 September 2009 wrote Amon Ott:
> >> On Tuesday 29 September 2009 wrote Javier J. Martínez Cabezón:
> >>> Hi amon, thanks for your answer and thanks for CAP learning mode, in
> >>> RC learning mode users should take it just as a starting point after
> >>> analize their system and setting the necessary roles and types and  
> >>> we
> >>> could advice it, RC learning mode will add necessary rights to the  
> >>> new
> >>> created role to the necessary types (it will save a lot of time of
> >>> review logs looking for DENIED AEF answers). We could add an  
> >>> advise to
> >>> the user to be careful with the policies generated at this way.
> >>
> >> Just had the idea that RC learning mode could be enabled per role,  
> >> so you
> >> will only mess up single roles. E.g. create a new role and let it  
> >> learn the
> >> rights to your existing types.
> >
> > Current svn now also contains a simple, global RC learning mode.  
> > Kernel
> > parameter rsbac_rc_learn will set all missing rights of all existing  
> > roles to
> > types.
> >
> > Of course, all learning modes are strictly optional, disabled in  
> > kernel config
> > by default and turned off by default.
> >
> > Learning mode per role is planned, but needs a new on-disk version  
> > of the role
> > list, so there is no way back to a previous RSBAC version. This  
> > means that it
> > probably goes into a new RSBAC 1.5 only. Alternatively, we could  
> > split the
> > role list into two, adding some small overhead if learning is  
> > enabled and
> > adding a set of extra functions to access the new list.
> >
> > Amon.
> > -- 
> > http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
> > _______________________________________________
> > rsbac mailing list
> > rsbac at rsbac.org
> > http://www.rsbac.org/mailman/listinfo/rsbac
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list