From: Stanislav Ievlev <inger@altlinux.ru>
Subject: Re: softmode vs. PM and RSBAC backup.
Date: Fri, 15 Jun 2001 18:54:56 +0400
Next Article (by Subject): Re: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Previous Article (by Subject): Re: softmode vs. PM and RSBAC backup. Amon Ott
Top of Thread: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Next in Thread: Re: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Articles sorted by: [Date]
[Author]
[Subject]
This is a multi-part message in MIME format. --------------020407060806040406030000 Content-Type: multipart/alternative; boundary="------------080405080401000203060501" --------------080405080401000203060501 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Amon Ott wrote: >On Mit, 13 Jun 2001 Stanislav Ievlev wrote: > >>1. Backup in RSBAC: >>We must turn off all modules for backup procedure now. But it's is not >>secure. What about special role for backup (like in Windows NT). This >>role must be only for special backup program, no for real users. >> > >You should be able to backup everything with secoff running a MAC trusted setuid >root script. As usual, it depends on the active modules. Which modules are >active in your system? > AUTH, RC, ACL, FF > > > >>2. Soft mode: >>I need more rights in soft_mode. RC working in "hard" mode under "soft" >>mode now. Most RC operations permitted only for role_admin. I apply >>patch for it. >> > >Your patch extending set rights to system_admin in soft mode has been included >into my tree now. > Same problem with ACL (example patch in attach). I need additional rights in soft mode to make "Adjusting RSBAC configuration " in ALT Linux Castle more eazy. > > >Amon. >- >To unsubscribe from the rsbac list, send a mail to >majordomo@rsbac.org with >unsubscribe rsbac >as single line in the body. > >. > --------------080405080401000203060501 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <html><head></head><body>Amon Ott wrote:<br> <blockquote type="cite" cite="mid:01061410411102.00859@marvin"><pre wrap="">On Mit, 13 Jun 2001 Stanislav Ievlev wrote:<br></pre> <blockquote type="cite"><pre wrap="">1. Backup in RSBAC:<br>We must turn off all modules for backup procedure now. But it's is not <br>secure. What about special role for backup (like in Windows NT). This <br>role must be only for special backup program, no for real users.<br></pre></blockquote> <pre wrap=""><!----><br>You should be able to backup everything with secoff running a MAC trusted setuid<br>root script. As usual, it depends on the active modules. Which modules are<br>active in your system?</pre> </blockquote> AUTH, RC, ACL, FF<br> <blockquote type="cite" cite="mid:01061410411102.00859@marvin"><pre wrap=""><br> <br></pre> <blockquote type="cite"><pre wrap="">2. Soft mode:<br>I need more rights in soft_mode. RC working in "hard" mode under "soft" <br>mode now. Most RC operations permitted only for role_admin. I apply <br>patch for it.<br></pre></blockquote> <pre wrap=""><!----><br>Your patch extending set rights to system_admin in soft mode has been included<br>into my tree now.</pre> </blockquote> Same problem with ACL (example patch in attach).<br> <br> I need additional rights in soft mode to make "Adjusting RSBAC configuration " in ALT Linux Castle more eazy.<br> <blockquote type="cite" cite="mid:01061410411102.00859@marvin"><pre wrap=""><br><br>Amon.<br>-<br>To unsubscribe from the rsbac list, send a mail to<br><a class="moz-txt-link-abbreviated" href="mailto:majordomo@rsbac.org">majordomo@rsbac.org</a> with<br>unsubscribe rsbac<br>as single line in the body.<br><br>.<br><br></pre> </blockquote> <br> <br> </body></html> --------------080405080401000203060501-- --------------020407060806040406030000 Content-Type: text/plain; name="rsbac-aclsoftmode.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="rsbac-aclsoftmode.patch" diff -Naur linux.orig/rsbac/adf/acl/acl_syscalls.c linux/rsbac/adf/acl/acl_syscalls.c --- linux.orig/rsbac/adf/acl/acl_syscalls.c Fri Apr 20 13:35:02 2001 +++ linux/rsbac/adf/acl/acl_syscalls.c Fri Jun 15 18:17:44 2001 @@ -531,7 +531,11 @@ if(rsbac_get_owner(&user)) return -RSBAC_EREADFAILED; /* first try access control right (SUPERVISOR is included) */ - if(!rsbac_acl_check_right(target, tid, user, ACLR_ACCESS_CONTROL)) + if(!rsbac_acl_check_right(target, tid, user, ACLR_ACCESS_CONTROL) + #ifdef CONFIG_RSBAC_SOFTMODE + &&(!rsbac_softmode) + #endif + ) { /* no access control -> try forward for these rights */ if(!rsbac_acl_check_forward(target, tid, user, rights)) @@ -773,7 +777,11 @@ #endif #if defined(CONFIG_RSBAC_ACL) /* first try access control right (SUPERVISOR is included) */ - if(!rsbac_acl_check_right(target, tid, user, ACLR_ACCESS_CONTROL)) + if(!rsbac_acl_check_right(target, tid, user, ACLR_ACCESS_CONTROL) + #ifdef CONFIG_RSBAC_SOFTMODE + &&(!rsbac_softmode) + #endif + ) { char * rights_string = rsbac_kmalloc(RSBAC_MAXNAMELEN); char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); --------------020407060806040406030000-- - To unsubscribe from the rsbac list, send a mail to majordomo@rsbac.org with unsubscribe rsbac as single line in the body.
Next Article (by Subject): Re: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Previous Article (by Subject): Re: softmode vs. PM and RSBAC backup. Amon Ott
Top of Thread: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Next in Thread: Re: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Articles sorted by: [Date]
[Author]
[Subject]