[rsbac] upgrade to 1.2.5
cesare at ucci.it
Fri Nov 18 09:32:11 CET 2005
OK, I fixed cupsd but I think that the problem lies somewhere else. I
have noticed already various times, without being really able to prove
it, that when I run a shell script which gives a lot of rc_set_item
commands, some of the commands are _silently_ _not_ applied. For example
for role in $(rc_get_item list_role_nr)
for type in $(rc_get_item list_netobj_type_nr)
rc_set_item -a ROLE $role type_comp_netobj $type IOCTL
[.. here it goes a check on the return value of rc_set_item ..]
no error messages, but if I check manually there is one role which did
not get the right, and if I add it manually then everything is OK.
Obviously, this happens rarely and never in the same point, but this was
what had happened for cupsd.
For udev instead I'll boot with rsbac_debug_adf_rc because I have
$ rc_get_item list_scd_types | grep 'sysfs'
$ rc_get_item -p ROLE 999999 type_comp_scd 15
$ rc_get_item -p ROLE 2 type_comp_scd 15
PS. Nice that rsbac.org is back !
On Fri, Nov 18, 2005 at 09:06:39AM +0100, Amon Ott wrote:
* On Donnerstag 17 November 2005 20:20, Andrea Pasquinucci wrote:
* > I just made an upgrade from 1.2.4 to 1.2.5 of a little bit
* > machine. I solved all new controls, but the following two remain,
* > if all seems to be working fine also in enforcing mode:
* > Thu Nov 17 17:00:55 2005 :<6>0000000069|rsbac_adf_request(): request
* > GET_STATUS_DATA, pid 332, ppid 4, prog_name udev,
* prog_file /bin/udev,
* > uid 0, target_type SCD, tid sysfs, attr owner, value 0, result
* > NOT_GRANTED (Softmode) by RC
* > Thu Nov 17 17:01:15 2005 :<6>0000000252|rsbac_adf_request(): request
* > MODIFY_SYSTEM_DATA, pid 1834, ppid 1833, prog_name cupsd, prog_file
* > /usr//sbin/cupsd, uid 0, target_type NETOBJ, tid cdbe5240 INET
* > proto TCP local 0.0.0.0:0 remote 0.0.0.0:0, attr setsockopt_level,
* > 1, result NOT_GRANTED (Softmode) by RC
* udev probably runs with the boot role, not that of a certain user '0'.
* cupsd should have its own role. If not, it might have boot role, too.
* Please enable rsbac_debug_adf_rc to see all roles and types involved,
* just add this kernel parameter when booting.
* http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
* rsbac mailing list
* rsbac at rsbac.org
Andrea Pasquinucci cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F CCBB CB51 2983 6494 0DA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20051118/322891a5/attachment-0001.bin
More information about the rsbac