Next: Forced Roles
Up: Program Based Roles with
Previous: Program Based Roles with
If an initial role has been assigned to a program file, it is set as current
role of every process that executes this program. However, the role can be
changed at any time by all implicit or explicit mechanisms mentioned above,
e.g. by changing the process owner.
Initial roles are typically used for login programs, which need special
privileges for authentication, but have to switch to a new owner's
default role afterwards.
Two special initial role values affect implicit role
transitions:
- role_inherit_parent (default value):
- Get initial role setting from
filesystem parent object. If there is no parent object, use root dir
default value role_use_forced_role. This default value allows to set an initial
role for whole directory trees.
- role_use_forced_role (root dir default value):
- Only use the forced
role setting.
As usual, the inheritance implies the notion of effective values:
- initialrole(f:file):role := initial role value of file f at
time t
- effinitialrole(f:file):role := effective initial role of
file f at time n, including inheritance from parent filesystem objects
The effective initial role is derived as follows:
|
|
|
|
(17) |
Initial roles for program files
change the implicit role transition on execution
from rule 4 as follows:
|
|
|
|
(18) |
Next: Forced Roles
Up: Program Based Roles with
Previous: Program Based Roles with
Amon Ott