From: ao@morpork.shnet.org (A. Ott)
Subject: 1.0.9 progress
Date: 23 Jul 1999 08:55:00 +0200
Next Article (by Subject): Re: 1.0.9 progress ao@morpork.shnet.org (A. Ott)
Previous Article (by Subject): 1.0.9 is out there ao@morpork.shnet.org (A. Ott)
Next in Thread: Re: 1.0.9 progress ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date]
[Author]
[Subject]
Hi all! Things are moving on fast again. In progress: - RC model fairly changed (thanks to Simone): - Role-Type compatibility vectors have been replaced by matrices, the extra dimension being request type. In other words: You can now define role-to-type compatibilities separately for every request type, like process in role A may access object of type B with request type C. For A use any defined role, for B any defined object type and for C any RSBAC request type, e.g. READ_OPEN. - Forced roles for programs will extend beyond a CHANGE_OWNER on process (setuid), but of course not beyond a new EXECUTE - Request groups R (read accesses), RW (read- and write-accesses), SY (system accesses, e.g. MOUNT) and SE (security accesses, e.g. SET_ATTRIBUTE) have been defined and can be used for compatibility settings. Sure the addition of all groups results in a set of all requests. - Unfortunately there can be no automatic update for existing role definitions from 1.0.8, but type entries are kept. - If a process creates a new object (file/dir/ipc/process), it needs CREATE right for its rc_def_xxx_create_type (the type of the new object) - New Access Control List (ACL) model: - Every object (file, dir, dev, ipc, scd, process) has an ACL - ACL entries contain a subject ID and a bitvector of allowed requests. Additionally, special rights like 'access control' and 'forward own rights to others' will be included. - Subjects are grouped in user IDs, RC roles and ACL user groups. (The latter might not yet be in the 1.0.9 final release) - A special entry 'everyone' can be used to address all users - If there is no ACL entry for a subject at an object, the object's parent object is used (probably only for files and dirs) - The topmost parent of all objects is an object type specific default ACL, which can be changed as usual - If there is no matching entry in the default ACL, a default rights vector for this object type is used. This vector might also be configurable, but will default to 0. So you see, there is some interesting new stuff coming up. The RC changes are nearly finished, and as soon as RC works fine and ACL is in a buildable (though still disfunctional) state again, you will see a new pre- version on the net. Amon. -- ## CrossPoint v3.11 ## - To unsubscribe from the rsbac list, send a mail to majordomo@morpork.shnet.org with unsubscribe rsbac as single line in the body.
Next Article (by Subject): Re: 1.0.9 progress ao@morpork.shnet.org (A. Ott)
Previous Article (by Subject): 1.0.9 is out there ao@morpork.shnet.org (A. Ott)
Next in Thread: Re: 1.0.9 progress ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date]
[Author]
[Subject]