[rsbac] Decision Module in Userspace

Shaz shazalive at gmail.com
Sun Jun 5 17:48:33 CEST 2011

On Sun, Jun 5, 2011 at 8:31 PM, Shaz <shazalive at gmail.com> wrote:

> On Sun, Jun 5, 2011 at 8:12 PM, Jens Kasten <igraltist at rsbac.org> wrote:
>> Hi,
>> a point to your Django framework.
>> Why should not use RSBAC to secure the webframe work?
>> So far I understand, I would not need for daily use and additional
>> module in userspace.
>> I would analyse what files and directories are directly affected by the,
>> if Django runs under his own user, and start to build RC-Roles and
>> RC-Types. Than a Nettemplate and other small thinks.
>> Now, why I should build RC-Roles befor, so that a userspace software get
>> again a RC-Role to obtain his limitation?
>> When I would lift up the decision to userspace, so that a software can
>> ask if the subject has the correct rights to the object the data have to
>> protect by what? If data must store again in the main place, rsbac.dat
>> in every mountpoint, so no reason to build more software to lift up the
>> decision to userspace.
> What if we are thinking inside Django and the objects of Django not looking
> at Django from outside. Not the resources at the kernel/os point of view.
> Another example would be the elements of Django in the file and not just
> the file. Granularity with respect to Django.
> Thanks.

Subject and objects at kernel layer is definitely controlled by rsbac. Then
we have subjects and objects of applications run on frameworks like Django,
Java and Python. Is it a good idea to use or extend rsbac at the application
layer? Or do we just simply stack the access control at both layers.

This seems easy with respect to DAC but when we move to something like MAC
(RC model) this gets confusing. The confusion can be further magnified when
information flows or object distribution from application context through
kernel/system context to another application context. Some sort of
administration would be required to manage cross context attributes of
subjects and objects.

I hope this is making sense.


Shahbaz Khan
R&D Engineer,
Tactical Engineering and Consultancy.


More information about the rsbac mailing list