[rsbac] upgrade to 1.2.5

Andrea Pasquinucci cesare at ucci.it
Fri Nov 18 09:32:11 CET 2005 

OK, I fixed cupsd but I think that the problem lies somewhere else. I 
have noticed already various times, without being really able to prove 
it, that when I run a shell script which gives a lot of rc_set_item 
commands, some of the commands are _silently_ _not_ applied. For example 
I run

  for role in $(rc_get_item list_role_nr)
  do
    for type in $(rc_get_item list_netobj_type_nr)
    do
      rc_set_item -a ROLE $role type_comp_netobj $type IOCTL
      [.. here it goes a check on the return value of rc_set_item ..]
    done
  done

no error messages, but if I check manually there is one role which did 
not get the right, and if I add it manually then everything is OK. 
Obviously, this happens rarely and never in the same point, but this was 
what had happened for cupsd. 

For udev instead I'll boot with rsbac_debug_adf_rc because I have

$ rc_get_item list_scd_types | grep 'sysfs'
15 sysfs
$ rc_get_item -p ROLE 999999 type_comp_scd 15
0000000000000000000000000010000000000000100110001100000000000
  GET_PERMISSIONS_DATA
  GET_STATUS_DATA
  MODIFY_PERMISSIONS_DATA
  MODIFY_SYSTEM_DATA
  READ_ATTRIBUTE
  WRITE
$ rc_get_item -p ROLE 2 type_comp_scd 15
0000000000000000000000000010000000000000100110001100000000000
  GET_PERMISSIONS_DATA
  GET_STATUS_DATA
  MODIFY_PERMISSIONS_DATA
  MODIFY_SYSTEM_DATA
  READ_ATTRIBUTE
  WRITE

Thanks, Andrea

PS. Nice that rsbac.org is back !


On Fri, Nov 18, 2005 at 09:06:39AM +0100, Amon Ott wrote:
* On Donnerstag 17 November 2005 20:20, Andrea Pasquinucci wrote:
* > I just made an upgrade from 1.2.4 to 1.2.5 of a little bit 
* complicated 
* > machine. I solved all new controls, but the following two remain, 
* even 
* > if all seems to be working fine also in enforcing mode:
* > 
* > Thu Nov 17 17:00:55 2005 :<6>0000000069|rsbac_adf_request(): request 
* > GET_STATUS_DATA, pid 332, ppid 4, prog_name udev, 
* prog_file /bin/udev, 
* > uid 0, target_type SCD, tid sysfs, attr owner, value 0, result 
* > NOT_GRANTED (Softmode) by RC
* 
* > Thu Nov 17 17:01:15 2005 :<6>0000000252|rsbac_adf_request(): request 
* > MODIFY_SYSTEM_DATA, pid 1834, ppid 1833, prog_name cupsd, prog_file 
* > /usr//sbin/cupsd, uid 0, target_type NETOBJ, tid cdbe5240 INET 
* STREAM 
* > proto TCP local 0.0.0.0:0 remote 0.0.0.0:0, attr setsockopt_level, 
* value 
* > 1, result NOT_GRANTED (Softmode) by RC
* 
* udev probably runs with the boot role, not that of a certain user '0'. 
* cupsd should have its own role. If not, it might have boot role, too.
* 
* Please enable rsbac_debug_adf_rc to see all roles and types involved, 
* just add this kernel parameter when booting.
* 
* Amon.
* -- 
* http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
* _______________________________________________
* rsbac mailing list
* rsbac at rsbac.org
* http://www.rsbac.org/mailman/listinfo/rsbac

-- 
--
Andrea Pasquinucci                     cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F  CCBB CB51 2983 6494 0DA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20051118/322891a5/attachment-0001.bin

More information about the rsbac mailing list