[rsbac] 1.4.0-rc3 check_comp_rc: rc_role wrong?
Bernhard Seibold
bernhard.seibold at uni-ulm.de
Mon Nov 17 19:32:21 CET 2008
On Mo, 2008-11-17 at 15:22 +0100, Amon Ott wrote:
> On Friday 14 November 2008 14:37, Amon Ott wrote:
> > On Friday 14 November 2008 14:19, Bernhard Seibold wrote:
> > > I'm getting a lot of denied requests, where (imho) they should
> > > have been granted. I turned on debug_adf_rc1, and noticed that
> > > check_comp_rc almost always says "rc_role 0", although
> > > rc_get_current_role reports another (the correct) ID.
> > >
> > > Can you confirm this is a bug, or did i just do something wrong
> > > while upgrading from rc2 to rc3?
> >
> > It is working fine in i386, so it might be related to amd64
> > platform. We will look into it.
>
> Does the rsbac_adf_request message after this show some weird or 0
> pid? Or do you get other warnings that an attribute was set for
> process 0?
No, looks ok.
> Please send some example log lines.
User 1000 is rc_role 4. No errors with 2.6.26.7 with 1.4.0-rc2 (and your
one-line ipv6 patch).
0000009047|check_comp_rc(): pid 2299432064 (gweather-applet), owner
1000, rc_role 0, NETOBJ rc_type 0, request CREATE -> NOT_GRANTED!
0000009048|rsbac_adf_request(): request CREATE, pid 30636, ppid 1,
prog_name gweather-applet,
prog_file /usr/lib/gnome-applets/gweather-applet-2, uid 1000,
target_type NETOBJ, tid ffff8800211daf00 NETLINK RAW ROUTE, attr
sock_type, value RAW, result NOT_GRANTED (Softmode) by RC
0000019673|check_comp_rc(): pid 890749184 (apache2), owner 0, rc_role 0,
NETOBJ rc_type 0, request CREATE -> NOT_GRANTED!
0000019674|rsbac_adf_request(): request CREATE, pid 9082, ppid 9080,
prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type
NETOBJ, tid ffff880017464f00 NETLINK RAW ROUTE, attr sock_type, value
RAW, result NOT_GRANTED (Softmode) by RC
I found just two entries in the log file where rc_role wasn't 0:
0000006872|check_comp_rc(): pid 3064161152 (rsbac_user_menu), owner 400,
rc_role 2, DIR rc_type 1, request SEARCH -> NOT_GRANTED!
0000006873|rsbac_adf_request(): request SEARCH, pid 15750, ppid 15748,
prog_name rsbac_user_menu, prog_file /bin/bash, uid 400, audit uid 1000,
target_type DIR, tid Device 08:01 Inode 5460453 Path /secoff, attr none,
value none, result NOT_GRANTED (Softmode) by RC
Here it probably should have been rc_role 1.
0000018748|check_comp_rc(): pid 1889067904 (rsbac_menu), owner 400,
rc_role 0, DIR rc_type 1, request SEARCH -> NOT_GRANTED!
0000018749|rsbac_adf_request(): request SEARCH, pid 4591, ppid 4586,
prog_name rsbac_menu, prog_file /bin/bash, uid 400, target_type DIR, tid
Device 08:01
Inode 5460453 Path /secoff, attr none, value none, result NOT_GRANTED
(Softmode) by RC
0000018750|check_comp_rc(): pid 890750080 (rsbac_menu), owner 400,
rc_role 999999, DIR rc_type 1, request SEARCH -> NOT_GRANTED!
0000018751|rsbac_adf_request(): request SEARCH, pid 4608, ppid 4586,
prog_name rsbac_menu, prog_file /bin/bash, uid 400, target_type DIR, tid
Device 08:01 Inode 5460453 Path /secoff, attr none, value none, result
NOT_GRANTED (Softmode) by RC
0000018752|check_comp_rc(): pid 890750208 (rsbac_user_menu), owner 400,
rc_role 0, DIR rc_type 1, request SEARCH -> NOT_GRANTED!
0000018753|rsbac_adf_request(): request SEARCH, pid 4609, ppid 4586,
prog_name rsbac_user_menu, prog_file /bin/bash, uid 400, target_type
DIR, tid Device 08:01 Inode 5460453 Path /secoff, attr none, value none,
result NOT_GRANTED (Softmode) by RC
These messages were logged within 2 secs.
Kernel is
http://download.rsbac.org/pre/rsbac-1.4.0-rc3/linux-2.6.27.5-rsbac-1.4.0-rc3.tar.bz2
patched with
pax-linux-2.6.27.5-test16.patch and
kernel.org/.../incr/patch-2.6.27.5-6.bz2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20081117/e4ce167f/attachment.pgp
More information about the rsbac
mailing list