[rsbac] RC learning mode, automatic role generations
Javier Juan Martínez Cabezón
tazok.id0 at gmail.com
Mon Mar 7 18:02:02 CET 2011
2011/3/7 Jens Kasten <jens en kasten-edv.de>
>
>
> The rc learning would not guess in the right way the role compatibility
> and other special cases. But the main work is done, when do carefully,
> well.
>
> Particulary would be nice to have a possibility to tell the rc learning
> for which role and rc-type it should learn.
>
>
> _______________________________________________
> rsbac mailing list
> rsbac en rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
This is planned to implementation in rsbac version 1.5.
I think it could be safer to make learning mode to automatic generate roles
and types in software that are in /sbin /usr/sbin that use IPC as /sbin/init
could be or daemons as ssh. With this novice users that don't know that it
should be isolated it could be at least a bit safer.
I'm not so sure in binaries that are under /usr/bin in particular (with the
Xorg exception) such as firefox since I don't see with good eyes that every
user share the same rol in navigation being needed a role transition between
firefox_r and user_r to avoid that root for example could navigate through
users directories and being at least a more properly solution a simply jail
for example that RC, in these cases a further restriction could be needed
(at least CAP_DAC_READ_SEARCH DAC_OVERRIDE revoked).
More information about the rsbac
mailing list