[rsbac] unable to run most aps, rsbac 1.2.1

Bencsath Boldizsar rsbac@rsbac.org
Fri Oct 4 01:01:03 2002 

Rsbac has been changed in some areas from 1.1.2. Use
rsbac-admin-v1.2.1/src/scripts/backup_all_1.1.2 to backup Your settings in
1.1.2 and then to recover in 1.2.1, as described on the web site too.
But, the script is not perfect, my transition:
1. backup everything, to be able to recover in 1.1.2 at least.
2. use backup_all_1.1.2 to backup stuff
3. reboot new kernel with emergency mode
4. run the script created by backup_all_1.1.2
5. check the most important settings.
Look for:
ACL->Process->Default process-> check acl-s for the default groups. Do
they have get_status_data?
RC-> System admin (etc.) -> Process -> General -> Do the roles have
get_status data? if not, then set
RC-> roles -> FD -> get_status_data (if you have roles that have only
execute right on a type_fd, you might want to add get_status right
Rc->roles->SCD->network and firewall. Check rights. Don't You want to add
rights to different role than system_admin to set firewall rules
(iptables)?
Rc->roles->netobj->general (This might be set by the script - or not)
check rights to be able to bind to an interface
RC->roles->netdev->general (this might be o.k. too)
check rights to be able to configure the interface

After these steps , if system_admin is about o.k., you can take a chance
to reboot without emergency mode, and hopefully after a successfull
network login You have a chance to set the forgotten settings (check for
NOT_GRANTED in syslog...)

b
p.s. I just patched together a kernel:
linux 2.4.19+2.4.20pre8+rsbac1.2.1+grsecurity1.9.7+freeswan2.0pre2
if anybody interested...

On Fri, 4 Oct 2002, Josh Beagley wrote:

> Hello,
>
> Just installed and compiled rsbac 1.2.1 and running fine, only additional
> policy I enable was the JAIL policy, and as yet have not made any settings
> or changes to my previous rsbac configuration.
>
> However it seems I am now unable to even run ps, as I get the following
> errors for pretty much any application:
>
> Oct  3 20:39:54 Lynx kernel: rsbac_adf_request(): request GET_STATUS_DATA,
> pid 267, ppid 112, prog_name ps, uid 1000, target_type PROCESS, tid 1, attr
> , value 0, result NOT_GRANTED by RC ACL
> Oct  3 20:39:54 Lynx kernel: rsbac_adf_request(): request GET_STATUS_DATA,
> pid 267, ppid 112, prog_name ps, uid 1000, target_type PROCESS, tid 2, attr
> , value 0, result NOT_GRANTED by RC ACL
> Oct  3 20:39:54 Lynx kernel: rsbac_adf_request(): request GET_STATUS_DATA,
> pid 267, ppid 112, prog_name ps, uid 1000, target_type PROCESS, tid 3, attr
> , value 0, result NOT_GRANTED by RC ACL
> Oct  3 20:39:54 Lynx kernel: rsbac_adf_request(): request GET_STATUS_DATA,
> pid 267, ppid 112, prog_name ps, uid 1000, target_type PROCESS, tid 4, attr
> , value 0, result NOT_GRANTED by RC ACL
> Oct  3 20:39:54 Lynx kernel: rsbac_adf_request(): request GET_STATUS_DATA,
> pid 267, ppid 112, prog_name ps, uid 1000, target_type PROCESS, tid 5, attr
> , value 0, result NOT_GRANTED by RC ACL
>
>
> apoligies if the mailer wraps.
> _______________________________________________
> rsbac mailing list
> rsbac@rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
>
>