[rsbac] New to RSBAC

Javier J. Martínez Cabezón tazok.id0 at gmail.com
Fri Feb 12 09:34:42 CET 2010

2010/2/10 Louis Bateman <lbateman07 en gmail.com>:

> 1. About the RC model.
> I made two users, roletest and roletest2, and two corresponding roles with
> matching names.
> I then assigned each role to the corresponding user account, so roletest
> role is assigned to user roletest for example
> I then made an FD type, roletest_FD
> I denied all access to roletest_FD by role roletest, and allowed full access
> for role roletest2
> Now, this by itself worked quite well, but I wanted to test out the
> transition functionality.
> So, I made roletest role compatibile with role roletest2, because I would
> think even though roletest did not have access, it was able to transition to
> roletest2 which did have access. However, this did not work and access was
> denied for any objects assigned roletest_FD when roletest role attempts
> access.

You have only three ways to make role transitions, between compatible
roles through syscalls (as rc_role_wrap) and marking the binaries with
a initial role one (change after execution) o with a forced role setup
(inherited mixed) with change after CHANGE_OWNER

> however, even when not compatable, I can still access /bin/at as user
> roletest - why?
We need see every attributes implicated, as user attributes, /bin/at
ones, and privs related ones.

>Amon Ott wrote:
>Each model is independent, if possible.
> RC  with ACL is special: here ACL is considered as an extension for special
> cases, but I have never needed that in real life.
> We could add ACLs to MAC settings, too, but noone has ever asked for that. It
> could even be treated as an extension. Still, it would require some work for
> development and much work for testing.

Do you want mean in terms of ds-propery? Would could it be applied to
RC_types? For example GET_STATUS_DATA granted so READ operation,
checked and granded ss-property, checked *-property and as
GET_STATUS_DATA is granted to the rc_type to this rc_role the
ds-propery request is granted too. Do you want mean that?

More information about the rsbac mailing list