[rsbac] Security bugfix for RSBAC for kernels 2.6.35 and later

Amon Ott ao at rsbac.org
Wed Nov 30 16:33:51 CET 2011

On Wednesday 30 November 2011 wrote Javier Juan Martínez Cabezón:
> Amon, in which case would this be a security problem?
> AFAIK, READ_OPEN calls are uneeded because they always require de READ one
> to access de contents of the file.
> So I have never found a case in which READ_OPEN should be granted and READ
> not.
> To me READ_OPEN is only userful to restrict scripts interpretation and
> nothing more.

READ is required to read the content of a dir, so it is quite often allowed on 
whole trees or RC types. If READ_OPEN is not denied, then you can read 
content of files, although you should only have access to the dir listing.

Additionally, intercepting READ and WRITE on files is optional, you can turn 
it off in RSBAC kernel config. The reason is that you need to open it 

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list