Re: softmode vs. PM and RSBAC backup.


From: Stanislav Ievlev <inger@altlinux.ru>
Subject: Re: softmode vs. PM and RSBAC backup.
Date: Fri, 15 Jun 2001 18:54:56 +0400

Next Article (by Author): RC. Dynamic Role Switching Stanislav Ievlev
Previous Article (by Author): Re: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Top of Thread: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Articles sorted by: [Date] [Author] [Subject]


This is a multi-part message in MIME format.
--------------020407060806040406030000
Content-Type: multipart/alternative;
 boundary="------------080405080401000203060501"


--------------080405080401000203060501
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Amon Ott wrote:

>On Mit, 13 Jun 2001 Stanislav Ievlev wrote:
>
>>1. Backup in RSBAC:
>>We must turn off all modules for backup procedure now. But it's is not 
>>secure. What about special role for backup (like in Windows NT). This 
>>role must be only for special backup program, no for real users.
>>
>
>You should be able to backup everything with secoff running a MAC trusted setuid
>root script. As usual, it depends on the active modules. Which modules are
>active in your system?
>
AUTH, RC, ACL, FF

>
>   
>
>>2. Soft mode:
>>I need more rights in soft_mode. RC working in "hard" mode under "soft" 
>>mode now. Most RC operations  permitted only for role_admin. I apply 
>>patch for it.
>>
>
>Your patch extending set rights to system_admin in soft mode has been included
>into my tree now.
>
Same problem with ACL (example patch in attach).

I need additional rights in soft mode to make "Adjusting RSBAC 
configuration " in ALT Linux Castle more eazy.

>
>
>Amon.
>-
>To unsubscribe from the rsbac list, send a mail to
>majordomo@rsbac.org with
>unsubscribe rsbac
>as single line in the body.
>
>.
>



--------------080405080401000203060501
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<html><head></head><body>Amon Ott wrote:<br>
<blockquote type="cite" cite="mid:01061410411102.00859@marvin"><pre wrap="">On Mit, 13 Jun 2001 Stanislav Ievlev wrote:<br></pre>
  <blockquote type="cite"><pre wrap="">1. Backup in RSBAC:<br>We must turn off all modules for backup procedure now. But it's is not <br>secure. What about special role for backup (like in Windows NT). This <br>role must be only for special backup program, no for real users.<br></pre></blockquote>
    <pre wrap=""><!----><br>You should be able to backup everything with secoff running a MAC trusted setuid<br>root script. As usual, it depends on the active modules. Which modules are<br>active in your system?</pre>
    </blockquote>
AUTH, RC, ACL, FF<br>
    <blockquote type="cite" cite="mid:01061410411102.00859@marvin"><pre wrap=""><br>   <br></pre>
      <blockquote type="cite"><pre wrap="">2. Soft mode:<br>I need more rights in soft_mode. RC working in "hard" mode under "soft" <br>mode now. Most RC operations  permitted only for role_admin. I apply <br>patch for it.<br></pre></blockquote>
        <pre wrap=""><!----><br>Your patch extending set rights to system_admin in soft mode has been included<br>into my tree now.</pre>
        </blockquote>
Same problem with ACL (example patch in attach).<br>
        <br>
I need additional rights in soft mode to make "Adjusting RSBAC configuration " in ALT Linux Castle more eazy.<br>
        <blockquote type="cite" cite="mid:01061410411102.00859@marvin"><pre wrap=""><br><br>Amon.<br>-<br>To unsubscribe from the rsbac list, send a mail to<br><a class="moz-txt-link-abbreviated" href="mailto:majordomo@rsbac.org">majordomo@rsbac.org</a> with<br>unsubscribe rsbac<br>as single line in the body.<br><br>.<br><br></pre>
          </blockquote>
          <br>
          <br>
</body></html>
--------------080405080401000203060501--

--------------020407060806040406030000
Content-Type: text/plain;
 name="rsbac-aclsoftmode.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="rsbac-aclsoftmode.patch"

diff -Naur linux.orig/rsbac/adf/acl/acl_syscalls.c linux/rsbac/adf/acl/acl_syscalls.c
--- linux.orig/rsbac/adf/acl/acl_syscalls.c	Fri Apr 20 13:35:02 2001
+++ linux/rsbac/adf/acl/acl_syscalls.c	Fri Jun 15 18:17:44 2001
@@ -531,7 +531,11 @@
     if(rsbac_get_owner(&user))
       return -RSBAC_EREADFAILED;
     /* first try access control right (SUPERVISOR is included) */
-    if(!rsbac_acl_check_right(target, tid, user, ACLR_ACCESS_CONTROL))
+    if(!rsbac_acl_check_right(target, tid, user, ACLR_ACCESS_CONTROL)
+      #ifdef CONFIG_RSBAC_SOFTMODE
+      &&(!rsbac_softmode)
+      #endif
+      )
       {
         /* no access control -> try forward for these rights */
         if(!rsbac_acl_check_forward(target, tid, user, rights))
@@ -773,7 +777,11 @@
 #endif
 #if defined(CONFIG_RSBAC_ACL)
     /* first try access control right (SUPERVISOR is included) */
-    if(!rsbac_acl_check_right(target, tid, user, ACLR_ACCESS_CONTROL))
+    if(!rsbac_acl_check_right(target, tid, user, ACLR_ACCESS_CONTROL)
+      #ifdef CONFIG_RSBAC_SOFTMODE
+      &&(!rsbac_softmode)
+      #endif
+      )
       {
         char * rights_string = rsbac_kmalloc(RSBAC_MAXNAMELEN);
         char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);

--------------020407060806040406030000--

-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Author): RC. Dynamic Role Switching Stanislav Ievlev
Previous Article (by Author): Re: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Top of Thread: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.