_-TS RSBAC FAQ TE-_ \\ \\ \\ \\ == Is there any support for permissions revocation in RSBAC? == Permission revocation is sometimes considered as part of every MAC system. We do not implement support for revocation for a number of reasons. What we do is fine grained access control instead of revocation. For example, a file stays opened, but you cannot read or write any more. Also implementing revocation would be an very ugly thing and possibly would harm data consistency. == What about cover channels? == We're trying to deal with them as much as possible - even if there will always be some possible to find. It's a more work than just for a MAC system - would require rewriting a large parts of operating system and (for better) results even preparing ready to use machines (selected OS+improvments on a specific hardware). The problem is - covert channels are just every possible paths where uncontrolled information might be passed. Althought we control IPC and similar mechanisms covert channels are hardly possible to avid - think about limitting transsmision rate as a way to pass information, timing attacks... == What will happen if TTL for AUTH capability will time out in a middle of administration work? Will user be disconnected? == No, once you log in and TTL goes out, you won't be disconnected. Login application (be it /sbin/login or sshd) just will not be allowed to setuid(gid) any more to subject uid - hence that user won't log in. == What will happen if RC (or ACL) compatibility right will time out? == Access will be immidiatelly denied - what's going to happen depends on right one is going to be denied. Say, when a READ right will time out on a FILE target, one won't be able to read from a file even more. Look also at question about permission revocation. == When using the "rsbac_menu" command I get an error: "dialog: command not found == Make sure you have the dialog package installed from your distribution. See http://hightek.org/dialog/ == My "Help" button does not work in rsbac menu based commands == Dialog tool is known to have broken the original support for this feature. You can use a version supporting this feature here: http://download.rsbac.org/dialog/ == When using RSBAC commands I get: librsbac.so.xxx: cannot open shared object file: No such file or directory == Make sure RSBAC libs are installed. If you installed manually, they are probably in /usr/local/lib. On some Linux distributions, this path is not in the default settings. Edit "/etc/ld.so.conf" and add a line "/usr/local/lib", then save and run the "ldconfig" command. == Do you provide RSBAC + Xen/Vserver patches? == Look at [[:team:michal:virtualization|RSBAC + Virtualization systems]]