[rsbac] New to RSBAC

[Louis Bateman]

Hello all

I am interested in learning RSBAC, but I have some questions to help with my
understanding.

1. About the RC model.

I made two users, roletest and roletest2, and two corresponding roles with
matching names.
I then assigned each role to the corresponding user account, so roletest
role is assigned to user roletest for example
I then made an FD type, roletest_FD
I denied all access to roletest_FD by role roletest, and allowed full access
for role roletest2

Now, this by itself worked quite well, but I wanted to test out the
transition functionality.


So, I made roletest role compatibile with role roletest2, because I would
think even though roletest did not have access, it was able to transition to
roletest2 which did have access. However, this did not work and access was
denied for any objects assigned roletest_FD when roletest role attempts
access.

Have I misunderstood the RC model? Otherwise, how should I setup things to
do as I wish...differently then I have done?

Is this something to do with deny rules overriding allow rules?

however, even when not compatable, I can still access /bin/at as user
roletest - why?


can you control under what instances roles can transition?

why no acl permissions for mac categories or levels? would this go against
the model?

My second question is, is it possible to control when and under what
circamstances roles can transition?

Lastly, I was also looking at the MAC model, and wonder why there is no ACl
compent for MAC levels/categories like there is for RC model...is this
impossible in theory, or just not desired in practice?

Thankyou so much for any help, and for writing such excellent software!

LB