[rsbac] Identify problem

rsbac@rsbac.org rsbac@rsbac.org
Thu May 9 17:01:02 2002

Previous message: [rsbac] =?iso-8859-2?q?V=E1lasz=3A=20Re=3A=20=5Brsbac=5D=20Problem=20with?= Nettemp attributes
Next message: [rsbac] Identify problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multipart message in MIME format.
--=_alternative 00524060C1256BB4_=
Content-Type: text/plain; charset="us-ascii"

Dear members,

I have the following problem. I try to defend courier-mta and achieved a 
lot of success but with Unix sockets I have problem.
How could I identify them accurate? I do not want to create a general unix 
socket type and grant a lot of rights to it. Instead I would like to 
precisely define what sockets it can connect to.

In some cases it is trackable with strace, lsof and so on (e.g. courier 
want a /var/spool/courier/tmp/socket.tmp or similar) but sometimes it is 
extreme hard (at least for me).

Could you put down a clue for me?

Other problem: how can I grant rights for roles to /proc ? Its inode is 
obviously changing after every reboot. Should I set all other files to 
different types or there is a simplier solution?

Sincerely yours,
Gabor Horvath

Example:
9 16:44:15 rex kernel: rsbac_adf_request(): request CONNECT, caller_pid 
8068, caller_prog_name sh, caller_uid 0, target-type NETOBJ, tid cf990360 
UNIX STREAM, attr none, value 0, result NOT_GRANTED by RC
May  9 16:44:15 rex kernel: rsbac_adf_request(): request CREATE, 
caller_pid 8073, caller_prog_name logger, caller_uid 0, target-type 
NETOBJ, tid cf990360 UNIX DGRAM, attr none, value 0, result NOT_GRANTED by 
RC
--=_alternative 00524060C1256BB4_=
Content-Type: text/html; charset="us-ascii"


<br><font size=2 face="sans-serif">Dear members,</font>
<br>
<br><font size=2 face="sans-serif">I have the following problem. I try to defend courier-mta and achieved a lot of success but with Unix sockets I have problem.</font>
<br><font size=2 face="sans-serif">How could I identify them accurate? I do not want to create a general unix socket type and grant a lot of rights to it. Instead I would like to precisely define what sockets it can connect to.</font>
<br>
<br><font size=2 face="sans-serif">In some cases it is trackable with strace, lsof and so on (e.g. courier want a /var/spool/courier/tmp/socket.tmp or similar) but sometimes it is extreme hard (at least for me).</font>
<br>
<br><font size=2 face="sans-serif">Could you put down a clue for me?</font>
<br>
<br><font size=2 face="sans-serif">Other problem: how can I grant rights for roles to /proc ? Its inode is obviously changing after every reboot. Should I set all other files to different types or there is a simplier solution?</font>
<br>
<br><font size=2 face="sans-serif">Sincerely yours,</font>
<br><font size=2 face="sans-serif">Gabor Horvath</font>
<br>
<br><font size=2 face="sans-serif">Example:</font>
<br><font size=2 face="sans-serif">9 16:44:15 rex kernel: rsbac_adf_request(): request CONNECT, caller_pid 8068, caller_prog_name sh, caller_uid 0, target-type NETOBJ, tid cf990360 UNIX STREAM, attr none, value 0, result NOT_GRANTED by RC</font>
<br><font size=2 face="sans-serif">May &nbsp;9 16:44:15 rex kernel: rsbac_adf_request(): request CREATE, caller_pid 8073, caller_prog_name logger, caller_uid 0, target-type NETOBJ, tid cf990360 UNIX DGRAM, attr none, value 0, result NOT_GRANTED by RC</font>
--=_alternative 00524060C1256BB4_=--

Previous message: [rsbac] =?iso-8859-2?q?V=E1lasz=3A=20Re=3A=20=5Brsbac=5D=20Problem=20with?= Nettemp attributes
Next message: [rsbac] Identify problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]