[rsbac] RC learning mode, automatic role generations

[Jens Kasten]

Hi,

maybe thats would be nice.
I don't know how much work it could be.

Usual I set a up everything befor in Softmode without rc learning.
Than reboot the system in Softmode with rc learning and do login and
then reboot the system again.
The reboot is than in Secmode an almost work except few things.

The rc learning would not guess in the right way the role compatibility
and other special cases. But the main work is done, when do carefully,
well.

Particulary would be nice to have a possibility to tell the rc learning
for which role and rc-type it should learn.
In addition would be nice if the rc learning would have to exclude the
default role 0,1,2 e.g.
So that a directory which is set to rc-type 3000 and a 'program' enter
this directory not automatic apply all nessesary rights.

Jens

Am Montag, den 07.03.2011, 16:15 +0100 schrieb Javier Juan Martínez
Cabezón:
> Hi, ¿would be useful (and hard to implement) to make an rc_learning mode
> that creates it's own roles and types?
> 
> I think that mostly every time execution that follows a change owner to user
> (group) target (as happens with daemons that drops privileges) should be
> always isolated in its own role (one for privilege role and other one to
> dropped one) maybe this could be one nice way to say learning mode"here you
> have to create a role". About the types, could be more tricky since a lot of
> roles can access to the same types but learning mode could create the types
> indicated to this ones thats belongs to general_type ones (0) and only
> granting privileges to the other "manual created" ones
> 
> At this way I think we could do one more reliable learning mode and a bit
> more secure since we make learning mode more "less privilege approach".
> 
> What do you think?
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac