[rsbac] Identify problem

Amon Ott rsbac@rsbac.org
Fri May 10 09:31:01 2002

Previous message: [rsbac] Identify problem
Next message: [rsbac] Identify problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday, 9. May 2002 16:58, ghorvath@minolta.hu wrote:
> I have the following problem. I try to defend courier-mta and achieved a 
> lot of success but with Unix sockets I have problem.
> How could I identify them accurate? I do not want to create a general unix 
> socket type and grant a lot of rights to it. Instead I would like to 
> precisely define what sockets it can connect to.
> 
> In some cases it is trackable with strace, lsof and so on (e.g. courier 
> want a /var/spool/courier/tmp/socket.tmp or similar) but sometimes it is 
> extreme hard (at least for me).
> 
> Could you put down a clue for me?

UNIX sockets are difficult to find out, because there are no naming 
standards. You can turn on program logging of request BIND on the program, 
which should give you all addresses in the log.

I guess that courier always creates its sockets in /var/spool/courier/, and 
you use that string as UNIX address with len(string) as address_length.

We might use an empty string with len>0 to identify anonymous UNIX sockets, 
and len==0 for any name.

> Other problem: how can I grant rights for roles to /proc ? Its inode is 
> obviously changing after every reboot. Should I set all other files to 
> different types or there is a simplier solution?

Create your setup once, make a backup, e.g. with
attr_back_fd -r /proc
and restore on every reboot. There is currently no better solution.

> Example:
> 9 16:44:15 rex kernel: rsbac_adf_request(): request CONNECT, caller_pid 
> 8068, caller_prog_name sh, caller_uid 0, target-type NETOBJ, tid cf990360 
> UNIX STREAM, attr none, value 0, result NOT_GRANTED by RC
> May  9 16:44:15 rex kernel: rsbac_adf_request(): request CREATE, 
> caller_pid 8073, caller_prog_name logger, caller_uid 0, target-type 
> NETOBJ, tid cf990360 UNIX DGRAM, attr none, value 0, result NOT_GRANTED by 
> RC

These are anonymous sockets, which can only be used for communication, if a 
file descriptor has been passed from parent to child process, or to connect 
to other sockets (leading to a CONNECT request).

What you should look for are the BIND requests, where the actual address gets 
set - CREATE is quite harmless, because you cannot yet use the socket.

Amon.
--
http://www.rsbac.org

Previous message: [rsbac] Identify problem
Next message: [rsbac] Identify problem
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]