[rsbac] RC learning mode, automatic role generations
Javier Juan Martínez Cabezón
tazok.id0 at gmail.com
Mon Mar 7 16:21:37 CET 2011
PD: to those software that don't need change owner I think that we could
indicate rc_learning mode to create roles on binaries that need make use of
IPC's (so this one could be a way to say rc_learning mode "cut here". don't
you think?
El 7 de marzo de 2011 16:15, Javier Juan Martínez Cabezón <
tazok.id0 en gmail.com> escribió:
>
> Hi, ¿would be useful (and hard to implement) to make an rc_learning mode
> that creates it's own roles and types?
>
> I think that mostly every time execution that follows a change owner to
> user (group) target (as happens with daemons that drops privileges) should
> be always isolated in its own role (one for privilege role and other one to
> dropped one) maybe this could be one nice way to say learning mode"here you
> have to create a role". About the types, could be more tricky since a lot of
> roles can access to the same types but learning mode could create the types
> indicated to this ones thats belongs to general_type ones (0) and only
> granting privileges to the other "manual created" ones
>
> At this way I think we could do one more reliable learning mode and a bit
> more secure since we make learning mode more "less privilege approach".
>
> What do you think?
>
>
>
More information about the rsbac
mailing list