[rsbac] New to RSBAC

Amon Ott ao at rsbac.org
Fri Feb 12 08:50:02 CET 2010

On Wednesday 10 February 2010 wrote Louis Bateman:
> I made two users, roletest and roletest2, and two corresponding roles with
> matching names.
> I then assigned each role to the corresponding user account, so roletest
> role is assigned to user roletest for example
> I then made an FD type, roletest_FD
> I denied all access to roletest_FD by role roletest, and allowed full
> access for role roletest2
> Now, this by itself worked quite well, but I wanted to test out the
> transition functionality.
> So, I made roletest role compatibile with role roletest2, because I would
> think even though roletest did not have access, it was able to transition
> to roletest2 which did have access. However, this did not work and access
> was denied for any objects assigned roletest_FD when roletest role attempts
> access.
> Have I misunderstood the RC model? Otherwise, how should I setup things to
> do as I wish...differently then I have done?

roletest has to explicitely change active role, e.g. with
rc_role_wrap number-of-role-roletest2 bash -l

> can you control under what instances roles can transition?

No, but you can require that the user reenters her password when changing.

> why no acl permissions for mac categories or levels? would this go against
> the model?

> Lastly, I was also looking at the MAC model, and wonder why there is no ACl
> compent for MAC levels/categories like there is for RC model...is this
> impossible in theory, or just not desired in practice?

Each model is independent, if possible.

RC  with ACL is special: here ACL is considered as an extension for special 
cases, but I have never needed that in real life.

We could add ACLs to MAC settings, too, but noone has ever asked for that. It 
could even be treated as an extension. Still, it would require some work for 
development and much work for testing.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list