[rsbac] Problems upgrading from 1.2.0 to 1.2.2
Amon Ott
ao at rsbac.org
Wed Nov 19 08:54:32 CET 2003
On Dienstag, 18. November 2003 20:48, Pontus Lidman wrote:
> I have a working RSBAC 1.2.0 installation running on Linux kernel
> 2.4.18. I'd like to upgrade, so I compiled kernel 2.4.22 with RSBAC
> 1.2.2. When I boot this, it seems that the RC module is very reluctant
> to allow some kinds of access, like this:
>
> rsbac_adf_request(): request GET_STATUS_DATA, pid 173, ppid 1, prog_name rc,
uid
> 0, target_type PROCESS, tid 173, attr , value 0, result NOT_GRANTED by RC
> rsbac_adf_request(): request GET_STATUS_DATA, pid 191, ppid 185, prog_name
nis,
> uid 0, target_type PROCESS, tid 191, attr , value 0, result NOT_GRANTED by
RC
> rsbac_adf_request(): request GET_STATUS_DATA, pid 193, ppid 185, prog_name
setse
> rial, uid 0, target_type PROCESS, tid 193, attr , value 0, result
NOT_GRANTED by
> RC
> rsbac_adf_request(): request GET_STATUS_DATA, pid 202, ppid 201, prog_name
pidof
> , uid 0, target_type PROCESS, tid 1, attr , value 0, result NOT_GRANTED by
RC
> rsbac_adf_request(): request GET_STATUS_DATA, pid 231, ppid 230, prog_name
start
> -stop-daem, uid 0, target_type PROCESS, tid 2, attr , value 0, result
NOT_GRANTE
> D by RC
>
> These are just a few examples, it seems like no one is allowed to
> GET_STATUS_DATA. If I boot back into 2.4.18+1.2.0, things work
> smoothly again, so I don't think anything has been corrupted on disk.
>
> RSBAC-related kernel configuration options I used follow below. I'm
> grateful for any advice on how to upgrade successfully.
The GET_STATUS_DATA request for PROCESS targets has been added after 1.2.0 to
allow hiding of process info, so you will have to add this right to most
roles. If you start with role 2 (sysadm), it will be easier. Everything else
should be upgraded automatically.
In general, boot into 1.2.2 with softmode enabled to get up and running, then
grant the right where appropiate. If you still have these messages, although
the system has sufficient rights to run smoothly, you can turn them off via
rsbac_menu, Logging, GET_STATUS_DATA, PROCESS. Also, rsbac_debug_adf_rc will
help to identify the roles and types involved.
To get back to your old behaviour, you can try the following as secoff:
#!/bin/bash
alltypes=$(rc_get_item list_process_type_nr)
for role in $(rc_get_item list_role_nr)
do
for type in $alltypes
do
rc_set_item -a -v ROLE $role type_comp_process $type GET_STATUS_DATA
done
done
The most important part is the -a to only add the right - otherwise you will
end with GET_STATUS_DATA only, what will give you a lot of trouble.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list