Automatic role?

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Automatic role?

Postby Enchant » Wed Mar 05, 2008 4:13 pm

Hi.

Is it possible to do automatically executed subject with a given some role?

For example pseudocode:
Code: Select all
role daemon # definition role with default settings
subject / {
/ r
/tmp rwcdm
/var/log rwcdm
/var/run rwcdm
}

#..................

_USE_ROLE_ daemon # execution sshd under role daemon with role settings
subject /usr/sbin/sshd {
# any settings
}


It is possible to do that? Or how do likewise?

PS: sorry for my english :D
Enchant
 
Posts: 1
Joined: Tue Mar 04, 2008 8:48 am

Re: Automatic role?

Postby spender » Wed Mar 12, 2008 6:34 pm

It is somewhat possible (requires userland support) if you use a no-authentication special role. You'll need to create some script or modify the binary so that it transitions to the special role. Purely from a policy change though, making a subject run under an arbitrary role isn't possible.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron