From: Stanislav Ievlev <inger@altlinux.ru>
Subject: Re: RC. Dynamic Role Switching
Date: Mon, 18 Jun 2001 19:11:56 +0400
Next Article (by Subject): Re: Amon Ott
Previous Article (by Subject): Re: RC. Dynamic Role Switching Amon Ott
Top of Thread: RC. Dynamic Role Switching Stanislav Ievlev
Articles sorted by: [Date]
[Author]
[Subject]
Amon Ott wrote: >On Mon, 18 Jun 2001 Stanislav Ievlev wrote: > >>There are following problem. >> >>Some processes needs different permissions in different time, e.g. http >>server apache need different roles for different virtual hosts >>Example: >>a) "Role 1" --> (for www.test1.com) Full access to all files in >>/var/www/test1/*, no access outside this dir. >>b) "Role 2" --> (for www.test2.com) Full access to all files in >>/var/www/test2/*, no access outside this dir. >> >>Unfortunately, kernel cannot understand process's wishes. Process will >>have to ask kernel - change role itself. >> >>I propose changes in RC for this goal: >>To add to rsbac_adf_request_rc() new checking for R_MODIFY_ATTRIBUTE. >>New GRANTED: If (target==T_PROCESS) and (process change it's own role) >>and (this role in assigned) then GRANTED >> > >This is a typical szenario for compatible roles: >- Server starts with role 'httpd', which is compatible to roles 1 and 2 >- when acting for test1, server changes to role 1 (with >sys_rsbac_rc_change_role) >- when acting for test2, change to role 2 >- if roles 1 and 2 are compatible with 'httpd', server can switch back, >otherwise it cannot and should exit here > Opps ... I've busked :))) > >Amon. >- >To unsubscribe from the rsbac list, send a mail to >majordomo@rsbac.org with >unsubscribe rsbac >as single line in the body. > >. > - To unsubscribe from the rsbac list, send a mail to majordomo@rsbac.org with unsubscribe rsbac as single line in the body.
Next Article (by Subject): Re: Amon Ott
Previous Article (by Subject): Re: RC. Dynamic Role Switching Amon Ott
Top of Thread: RC. Dynamic Role Switching Stanislav Ievlev
Articles sorted by: [Date]
[Author]
[Subject]