Re: temporal role base access control in Linux

["cto@itechfrontiers.com" <cto@itechfrontiers.com>]

Hi Cliffe,

Not at all, Just sharing point of views, anyway I learn everyday,

I think better not to go off topic and explain a little bit more:

TRBAC  =  Temporal Role-Based Access Control
TRBAC = Time constraint/periodic roles/events (Activate-deactivate) + 
their triggers + RBAC


I wrote it can be SIMULATED using pure SELinux, becasue:

if the triggers do not need to be atomic role entries, in example it 
does not need to be an inline IPS/IDS changing roles in fraction of 
minute/second;

but the event triggers are longer to deal with, in example changing 
personnel shifts (longer time frame),

Then a simple SIMULATION with SELinux would be:

1) Create/generate different policies and their dependencies for 
different events, (The program even can try to generate these on the fly)
2) create a task scheduler or event handler or hierarchical scheduler
3) load/replace generated policies using above task scheduler/event 
handler/hierarchical scheduler based on triggers and events

* Virtually Much like and administrative job automation

* This event handler needs to have higher privileges for loading 
policies (MAC wise)

* This can be done without applying modification to SELinux

* All above can also be done using LSM APIs/SELinux Hooks/APIs as I 
posted their links on my first reply before too (much more complicated 
of course)


NOTICE: In real life scenarios, SELinux itself is complicated enough in 
practice to generate policies that as you all know it is used for 
targeted processes, not everything, so the concept of applying this to 
targeted processes in practice is inherited by TRBAC on top of SELinux

One may want to develop genuine TRBAC, then stick to LSM (Linux Security 
Module) as a standard security interface with Linux kernel.


Best Regards,

Patrick K.


On 11/7/2010 11:50 AM, Cliffe wrote:
> Hi Patrick,
>
> No worries. Yes, I am not a lawyer. It is obviously entirely your
> prerogative, and I am not criticising the help you provided. To be
> honest, I just found it strange that you would choose to point out what
> country they were from and who SELinux was developed by, as if that made
> them less entitled to help with an open source project. Sorry if you
> feel I overreacted.
>
> I don't have anything to add to your implementation suggestions, thanks
> for sharing.
>
> Cliffe.
>
> On 8/11/2010 12:31 AM, cto@itechfrontiers.com wrote:
>> Hello Cliffe,
>>
>> I Believe, I provided enough information to be able to achieve what
>> has been asked here.
>>
>> Anyway I'm bound to the US rules and abide and respect them, and
>> definitely am not a Lawyer, however my concern was not EAR (Export
>> Administration Regulations) the law is much more complicated than just
>> an export control regulation,
>>
>> By considering the source of the message coming from a known
>> University in Iran working on dual purpose subjects, I personally
>> prefer not to help particularly (on implementation basis), and I think
>> I have such right.
>>
>> Tried to help as much as I could.
>>
>> Providing legal advice requires attorney-client privilege/relationship
>> and I don't think just Google search result would be enough in such case.
>>
>> Anyway this is not a legal mailing list, technical aspects have been
>> covered as much as it should, if you would like you may add additional
>> notes.
>>
>> Best Regards,
>>
>> Patrick K.
>>
>>
>> On 11/7/2010 10:37 AM, Cliffe wrote:
>>> On 7/11/2010 10:39 PM, cto@itechfrontiers.com wrote:
>>>> I'm sorry but with all due respects, I don't know if helping people in
>>>> Iran on the subject is legal or not (I'm not a Lawyer) but judging
>>>> from sources of your mail (which is Iran), I prefer not to be involved
>>>> in any particular help.
>>> I have never heard anything that has suggested that there have ever been
>>> US export laws regarding access control software, let alone helping
>>> someone set up their free open source security software (please let me
>>> know if you have heard otherwise). It has been 10 years since US
>>> cryptography export laws have relaxed (and maybe they still apply to
>>> embargoed destinations).
>>>
>>> Just a quick google:
>>> "controls on encryption did not apply to cryptographic equipment and
>>> software if their functionality was limited to any of the following nine
>>> categories:" ... "(5) Access control devices such as ATMs;"
>>>> Anyway this is a project develped primarily by the National Security
>>>> Agency of the USA, and its contributors.
>>> That does not seem relevant to me...
>>>
>>> Cliffe.
>>>
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.