On 2015-08-21 14:16, Patrick Ohly wrote: > On Fri, 2015-08-21 at 13:25 +0200, Aleksander Zdyb wrote: >> As for Security Manager, there is indeed more than half of dozen buckets >> used: >> ADMIN MANIFESTS USER_TYPE_ADMIN USER_TYPE_GUEST and more. >> It's been designed this way, so it's easier to maintain them and faster to >> get matching rules. But this is Tizen 3.0 specific. Other >> implementations can >> use buckets concept in any other way (see example above) or don't use it >> at all. > One more question about this. > > When I use security-manager-policy-reload to create the Cynara DB, it'll > create these user profile buckets with: > > # Import user-type policies > find "$POLICY_PATH" -name "usertype-*.profile" | > while read file > do > ... > > # Link the bucket to ADMIN bucket > cyad --set-policy --client="*" --user="*" --privilege="*" --type=BUCKET \ > --bucket="$bucket" --metadata="ADMIN" > > This creates a BUCKET rule in, for example, USER_TYPE_ADMIN: > *;*;*;0xFFFE;ADMIN > > Isn't that the wrong way around? Buckets are linked as follows: > "" (the unnamed bucket) -> MAIN -> MANIFESTS > > Nothing links to USER_TYPE_ADMIN, so ADMIN is also not reached. > > Does that look right? Then what is the purpose of these usertype > profiles? How do they get activated in Cynara?
User profile buckets are used when users are created. Security-manager is called by gumd (through a hook) on user creation/removal. Then security-manager will create a policy entry in bucket MAIN, for the new user. It will point to the user type bucket, appropriate to the actual user type. You can simulate this by calling: root@10:~# security-manager-cmd --manage-users add --uid 1234 --usertype guest User add operation successfully finished (uid: 1234) root@10:~# grep USER_TYPE /var/cynara/db/_MAIN *;1234;*;0xFFFE;USER_TYPE_GUEST And when there are multiple users of the same type on the system, configuring policy for each one will require only one Cynara rule per user. Thanks to the bucket, the rules describing user type are common to all users of the same type.
_______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
