[rsbac] Problems with OpenAFS and RSBAC

[Amon Ott]

On Monday 16 December 2002 12:08, jochen wrote:
> I'm trying to setup an OpenAFS cell on a machine running RSBAC 1.2.1, or
> more detailed:
> 
> 	* Linux 2.4.20, RSBAC 1.2.1, CryptoAPI 0.1.0, 
> 	  super-FreeS/WAN 1.9-kb2
> 	* OpenAFS 1.2.7
> 	* Debian GNU/Linux SID
> 
> I encountered the following problem: the mounted AFS filesystem is
> recognized as RSBAC-internal and thus cannot be accessed, e.g.
> 
> root@gw:~# mount | grep afs
> AFS on /afs type afs (rw)
> root@gw:~# umount /afs
> rsbac_adf_request(): trial to access object declared RSBAC-internal!
> rsbac_adf_request(): request UMOUNT, pid 12299, ppid 700, prog_name
> umount, uid 0, target_type DIR, tid Device 00:08 Inode 0 Path /afs//,
> attr none, value 0, result NOT_GRANTED by
> umount: AFS: not found
> umount: /afs: must be superuser to umount

This request uses a 0 inode number, which should not happen and thus is not 
(yet) handled separately. The following patch against 
rsbac/data_structures/aci_data_structures.c should help:

--- aci_data_structures.c~      Thu Sep 19 11:47:59 2002
+++ aci_data_structures.c       Mon Dec 16 15:38:14 2002
@@ -8807,6 +8807,9 @@

                     if(attr == A_internal)
                       {
+                        if(!device_p->rsbac_dir_inode || !tid.file.inode)
+                          value->internal = FALSE;
+                        else
                         if(device_p->rsbac_dir_inode == tid.file.inode)
                           value->internal = TRUE;
                         else

 
> btw, the error message for access to internal objects could default to
> something like "NOT_GRANTED by rsbac" or something...

Yes, this will change in 1.2.2.

Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22