Next: Role Compatibility
Up: Roles and Types
Previous: Roles
Every object has an RC type. Hierarchically organized objects of RSBAC target
types FILE, DIR, FIFO and SYMLINK3 can have a special type
value inherit parent, in which case the parent object's type is used.
If there is no parent, the default value 0 is applied.
Whenever values may
be inherited, the term effective value is used to denote the
final value. Inheritance greatly reduces the number of attribute
values to be stored and follows the usual way of grouping objects in
hierarchies.
- type(o:object):type := type of object o at time n
- efftype(f:filesystem object):type := effective type of
filesystem object f at time n, including inheritance
The effective type is derived as follows:
|
(5) |
When a new filesystem object is created, its type is set to the value of the
role attribute Default fd create type of the current role of the
creating process, which can also be the special value inherit parent
mentioned above.
|
(6) |
When a new process object is created, its type is set depending on the value
of the role attribute Default process create type of the current
role of the creating process. The special and default value inherit parent sets
the type value to that of the creating process.
Be
|
(7) |
|
(8) |
On execution of a new program file, the process type is set according to the
value of the role attribute Default process execute type of the
current role of the process. The special and default value inherit parent
leaves the process type unchanged.
Be
|
(9) |
|
(10) |
Changing the owner of a process leads to the process type being set to the
value of the role attribute Default process chown type of the
current role of the process. The special and default value inherit
parent leaves the process type unchanged.
The other valid special value use new role def create uses the value
of the role attribute Default process create type of the new
current role of the process
(see Roles).
Be
Finally, the types of newly created IPC objects can be influenced by the
value of the role attribute Default ipc create type of the
current role of the process.
|
(14) |
The types of all newly created network objects are derived from their
templates4 and cannot be preset
through role attributes.
Default type values provide a mandatory way to keep new objects suitable for
the roles that created them, while completely avoiding discretionary
elements for type selection and the necessity of making applications aware of
the access control model.
Next: Role Compatibility
Up: Roles and Types
Previous: Roles
Amon Ott