I could kick myself...
Written by Michael Felt   

I have been promoting RBAC since AIX 6.0 Beta. And RBAC Domains were, read are, a great addition. And I could really kick myself that

  1. I have let an extremely simple bug hold me back for years (read I did not find a truely simple workaround before now)
  2. I have not been beating at AIX Security support to fix it (as I shall now!!!)

RBAC Domains and Directories

  • The documentation says directories are valid "file" object types
  • I remember configuring directories in the initial days of RBAC domains
  • I failed to see past the error of the error message from setsecattr -o ... 

Basically, what I have discovered - years too late (kick me) - is that in the kernel support has never left us - the bug is simply that setsecattr -o ... "DirectoryPath" reports an error. And this error message (and the refusal to update /etc/security/domobjs) is the bug.

And the workaround is!

Edit /etc/security/domobjs and turn a filename (that is accepted) into a directory path, then run setkst, and voila - you have a directory as an established - domained - object.

For your further information

I shall be working on a short tutorial - real real soon!