[rsbac] vmware ioports

Amon Ott ao at rsbac.org
Mon Sep 22 11:32:16 MEST 2003 

On Monday 22 September 2003 07:30, Andreas Baetz wrote:
> I'm running kernel 2.4.22, rsbac-1.2.2, modules RC, AUTH, CAP,
> JAIL, RES and trying to start a virtual machine under vmware. 
> vmware itself starts ok, but when I try to resume a virtual
> machine, this error gets recorded:
> 
> kernel: rsbac_adf_request(): request MODIFY_PERMISSIONS_DATA, 
> pid 23138, ppid 22786, prog_name vmware, uid 501, 
> target_type SCD, tid ioports, attr , value 0, result NOT_GRANTED by AUTH
> 
> I have created an RC role vmware, where type comp SCD, ioports,
> MODIFY_PERMISSIONS_DATA=on.
> /usr/bin/vmware and /usr/lib/vmware/bin/vmware are RC force role vmware.
> In the above case, pid 23138 is a new process, it is a new one each time
> I try to resume. ppid 22786 stays the same, this is 
/usr/lib/vmware/bin/vmware.
> Something is missing here, but what ?

As a security module, AUTH also tries to protect itself and the most 
important system values.

Mark the vmware process owners as "System Administrators" for AUTH, this 
enables exactly this right, but also allows to read from other SCD targets.

Alternatively, in kernel config, please either turn off "AUTH module and 
attribute protection" in the AUTH section, or enable X support. Both will 
give sufficient rights to all users.

If you disabled AUTH's self protection, please control AUTH administration 
with the other modules, e.g. RC or ACL special SCD target 
'auth_administration'. By default, such control has been setup for user 400.
 
> How can I tell rsbac to log the whole path in syslog to see which program 
actually 
> is affected ? I've turned on the kernel parameter to log the full path, 
> but still only the program name without path gets logged.

The program name reported is the name kept in the kernel process table. This 
name is usually initialized to the program file name on execute, but can be 
changed by the process at runtime. Generally, there is no easy way to find 
the original program file.

The full path option gives you the path to filesystem objects.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list