_-TS RSBAC FAQ TE-_





Is there any support for permissions revocation in RSBAC?

Permission revocation is sometimes considered as part of every MAC system. We do not implement support for revocation for a number of reasons. What we do is fine grained access control instead of revocation. For example, a file stays opened, but you cannot read or write any more. Also implementing revocation would be an very ugly thing and possibly would harm data consistency.

What about cover channels?

We're trying to deal with them as much as possible - even if there will always be some possible to find. It's a more work than just for a MAC system - would require rewriting a large parts of operating system and (for better) results even preparing ready to use machines (selected OS+improvments on a specific hardware). The problem is - covert channels are just every possible paths where uncontrolled information might be passed. Althought we control IPC and similar mechanisms covert channels are hardly possible to avid - think about limitting transsmision rate as a way to pass information, timing attacks…

What will happen if TTL for AUTH capability will time out in a middle of administration work? Will user be disconnected?

No, once you log in and TTL goes out, you won't be disconnected. Login application (be it /sbin/login or sshd) just will not be allowed to setuid(gid) any more to subject uid - hence that user won't log in.

What will happen if RC (or ACL) compatibility right will time out?

Access will be immidiatelly denied - what's going to happen depends on right one is going to be denied. Say, when a READ right will time out on a FILE target, one won't be able to read from a file even more. Look also at question about permission revocation.

When using the "rsbac_menu" command I get an error: "dialog: command not found

Make sure you have the dialog package installed from your distribution.

See http://hightek.org/dialog/

My "Help" button does not work in rsbac menu based commands

Dialog tool is known to have broken the original support for this feature. You can use a version supporting this feature here:

http://download.rsbac.org/dialog/

When using RSBAC commands I get: librsbac.so.xxx: cannot open shared object file: No such file or directory

Make sure RSBAC libs are installed. If you installed manually, they are probably in /usr/local/lib.

On some Linux distributions, this path is not in the default settings. Edit “/etc/ld.so.conf” and add a line “/usr/local/lib”, then save and run the “ldconfig” command.

Do you provide RSBAC + Xen/Vserver patches?

Look at RSBAC + Virtualization systems