Permissions
In the sec-lsm-manager, the following system permission is used : redpesk-permissions
Cynagora
Permissions are sent and stored in cynagora.
For example, if we add the permission urn:AGL:permission::partner:scope-platform
to a demo-app we will have :
CLIENT SESSION, USER, PERMISSION RESULT EXPIRE
demo-app * * urn:AGL:permission::partner:scope-platform yes forever
For more details on cynagora: sec-cynagora
Mandatory Access Control
At this time permissions only have an impact on SELinux. They will allow to add additional authorizations to an application.
For example the urn:AGL:permission::partner:scope-platform
permission
will allow access to the /var/scope-platform
folder.
Here is a list of currently supported permissions and their effect :
- urn:AGL:permission::partner:scope-platform
Allow access to the
/var/scope-platform
folder
- urn:AGL:permission::partner:create-can-socket
Allow create and write on can socket
- urn:AGL:permission::partner:read-afbtest
Allow read binding afbtest
- urn:AGL:permission::partner:execute-shell
Allow execute shell and programs in bin directories
- urn:AGL:permission::partner:manage-tmp
Allow manage all files types in /tmp
- urn:AGL:permission::partner:manage-user-shared
Allow manage all files types in /run/user/[id]/usrshr/