From: Stanislav Ievlev <inger@altlinux.ru>
Subject: Re: softmode vs. PM and RSBAC backup.
Date: Fri, 15 Jun 2001 18:54:56 +0400
Next Article (by Subject): Re: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Previous Article (by Subject): Re: softmode vs. PM and RSBAC backup. Amon Ott
Top of Thread: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Next in Thread: Re: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Articles sorted by: [Date]
[Author]
[Subject]
This is a multi-part message in MIME format.
--------------020407060806040406030000
Content-Type: multipart/alternative;
boundary="------------080405080401000203060501"
--------------080405080401000203060501
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Amon Ott wrote:
>On Mit, 13 Jun 2001 Stanislav Ievlev wrote:
>
>>1. Backup in RSBAC:
>>We must turn off all modules for backup procedure now. But it's is not
>>secure. What about special role for backup (like in Windows NT). This
>>role must be only for special backup program, no for real users.
>>
>
>You should be able to backup everything with secoff running a MAC trusted setuid
>root script. As usual, it depends on the active modules. Which modules are
>active in your system?
>
AUTH, RC, ACL, FF
>
>
>
>>2. Soft mode:
>>I need more rights in soft_mode. RC working in "hard" mode under "soft"
>>mode now. Most RC operations permitted only for role_admin. I apply
>>patch for it.
>>
>
>Your patch extending set rights to system_admin in soft mode has been included
>into my tree now.
>
Same problem with ACL (example patch in attach).
I need additional rights in soft mode to make "Adjusting RSBAC
configuration " in ALT Linux Castle more eazy.
>
>
>Amon.
>-
>To unsubscribe from the rsbac list, send a mail to
>majordomo@rsbac.org with
>unsubscribe rsbac
>as single line in the body.
>
>.
>
--------------080405080401000203060501
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html><head></head><body>Amon Ott wrote:<br>
<blockquote type="cite" cite="mid:01061410411102.00859@marvin"><pre wrap="">On Mit, 13 Jun 2001 Stanislav Ievlev wrote:<br></pre>
<blockquote type="cite"><pre wrap="">1. Backup in RSBAC:<br>We must turn off all modules for backup procedure now. But it's is not <br>secure. What about special role for backup (like in Windows NT). This <br>role must be only for special backup program, no for real users.<br></pre></blockquote>
<pre wrap=""><!----><br>You should be able to backup everything with secoff running a MAC trusted setuid<br>root script. As usual, it depends on the active modules. Which modules are<br>active in your system?</pre>
</blockquote>
AUTH, RC, ACL, FF<br>
<blockquote type="cite" cite="mid:01061410411102.00859@marvin"><pre wrap=""><br> <br></pre>
<blockquote type="cite"><pre wrap="">2. Soft mode:<br>I need more rights in soft_mode. RC working in "hard" mode under "soft" <br>mode now. Most RC operations permitted only for role_admin. I apply <br>patch for it.<br></pre></blockquote>
<pre wrap=""><!----><br>Your patch extending set rights to system_admin in soft mode has been included<br>into my tree now.</pre>
</blockquote>
Same problem with ACL (example patch in attach).<br>
<br>
I need additional rights in soft mode to make "Adjusting RSBAC configuration " in ALT Linux Castle more eazy.<br>
<blockquote type="cite" cite="mid:01061410411102.00859@marvin"><pre wrap=""><br><br>Amon.<br>-<br>To unsubscribe from the rsbac list, send a mail to<br><a class="moz-txt-link-abbreviated" href="mailto:majordomo@rsbac.org">majordomo@rsbac.org</a> with<br>unsubscribe rsbac<br>as single line in the body.<br><br>.<br><br></pre>
</blockquote>
<br>
<br>
</body></html>
--------------080405080401000203060501--
--------------020407060806040406030000
Content-Type: text/plain;
name="rsbac-aclsoftmode.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="rsbac-aclsoftmode.patch"
diff -Naur linux.orig/rsbac/adf/acl/acl_syscalls.c linux/rsbac/adf/acl/acl_syscalls.c
--- linux.orig/rsbac/adf/acl/acl_syscalls.c Fri Apr 20 13:35:02 2001
+++ linux/rsbac/adf/acl/acl_syscalls.c Fri Jun 15 18:17:44 2001
@@ -531,7 +531,11 @@
if(rsbac_get_owner(&user))
return -RSBAC_EREADFAILED;
/* first try access control right (SUPERVISOR is included) */
- if(!rsbac_acl_check_right(target, tid, user, ACLR_ACCESS_CONTROL))
+ if(!rsbac_acl_check_right(target, tid, user, ACLR_ACCESS_CONTROL)
+ #ifdef CONFIG_RSBAC_SOFTMODE
+ &&(!rsbac_softmode)
+ #endif
+ )
{
/* no access control -> try forward for these rights */
if(!rsbac_acl_check_forward(target, tid, user, rights))
@@ -773,7 +777,11 @@
#endif
#if defined(CONFIG_RSBAC_ACL)
/* first try access control right (SUPERVISOR is included) */
- if(!rsbac_acl_check_right(target, tid, user, ACLR_ACCESS_CONTROL))
+ if(!rsbac_acl_check_right(target, tid, user, ACLR_ACCESS_CONTROL)
+ #ifdef CONFIG_RSBAC_SOFTMODE
+ &&(!rsbac_softmode)
+ #endif
+ )
{
char * rights_string = rsbac_kmalloc(RSBAC_MAXNAMELEN);
char * target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
--------------020407060806040406030000--
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.
Next Article (by Subject): Re: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Previous Article (by Subject): Re: softmode vs. PM and RSBAC backup. Amon Ott
Top of Thread: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Next in Thread: Re: softmode vs. PM and RSBAC backup. Stanislav Ievlev
Articles sorted by: [Date]
[Author]
[Subject]