[rsbac] a few problems
Josh Beagley
rsbac@rsbac.org
Mon Sep 9 09:31:01 2002
Hi all
The first problem I seem to be having is enabling FF flags add_inherited
and secure_delete on my home directory. I am running rsbac 1.2.0, kernel
2.4.19 and the preemptive patch. I get the following error, and and process
involving file operations hangs:
Sep 7 02:13:02 Lynx kernel: Assertion failure in ext3_sync_file() at
fsync.c:55: "ext3_journal_current_handle() == 0"
Sep 7 02:13:02 Lynx kernel: kernel BUG at fsync.c:55!
Sep 7 02:13:02 Lynx kernel: invalid operand: 0000
Sep 7 02:13:02 Lynx kernel: CPU: 0
Sep 7 02:13:02 Lynx kernel: EIP: 0010:[<c0159074>] Not tainted
Sep 7 02:13:02 Lynx kernel: EFLAGS: 00010286
Sep 7 02:13:02 Lynx kernel: eax: 0000005d ebx: 00000000 ecx: ffffffa3
edx: c7b50000
Sep 7 02:13:02 Lynx kernel: esi: cdcc4620 edi: c7b51e78 ebp: c7b51ee0
esp: c7b51e30
Sep 7 02:13:02 Lynx kernel: ds: 0018 es: 0018 ss: 0018
Sep 7 02:13:02 Lynx kernel: Process rm (pid: 2452, stackpage=c7b51000)
Sep 7 02:13:02 Lynx kernel: Stack: c02c6920 c02c690b c02c6903 00000037
c02c68e0 00000000 cd28e440 c01d2d9c
Sep 7 02:13:02 Lynx kernel: c7b51e78 cd8d0460 00000001 00000000
cd28e440 cbfa2480 00000c00 cbda9000
Sep 7 02:13:02 Lynx kernel: c0000000 00000000 00000000 00000000
cd8d0460 00000000 c031e380 00000001
Sep 7 02:13:02 Lynx kernel: Call Trace: [<c01d2d9c>] [<c01d2e16>]
[<c015ef20>] [<c0140828>] [<c013d7bd>]
Sep 7 02:13:02 Lynx kernel: [<c01409c0>] [<c010873b>]
Sep 7 02:13:02 Lynx kernel:
Sep 7 02:13:02 Lynx kernel: Code: 0f 0b 37 00 03 69 2c c0 83 c4 14 90 8d
46 18 50 e8 47 c5 fd
Sep 7 02:13:02 Lynx kernel: <6>note: rm[2452] exited with preempt_count 1
as well, I applied the roles example in rsbac for beginners, which works
fine, except that secoff seems to have lost privelleges, leaving my machine
unable to be administered.
Sep 8 03:10:42 Lynx kernel: rsbac_rc_sys_set_item(): changing type_fd_name
of FD type 4 denied for pid 615, user 400 - no ADMIN right!
Sep 8 03:10:54 Lynx kernel: rsbac_adf_request(): request READ_ATTRIBUTE,
caller_pid 649, caller_prog_name attr_get_file_d, caller_uid 400,
target-type DIR, tid Device 03:06 Inode 581761 Path /home//secoff, attr
auth_may_setuid, value 4294967295, result NOT_GRANTED by RC
Sep 8 03:10:54 Lynx kernel: rsbac_adf_request(): request READ_ATTRIBUTE,
caller_pid 650, caller_prog_name attr_get_file_d, caller_uid 400,
target-type DIR, tid Device 03:06 Inode 581761 Path /home//secoff, attr
auth_may_set_cap, value 4294967295, result NOT_GRANTED by RC
Sep 8 03:11:19 Lynx kernel: rsbac_rc_sys_set_item(): changing type_fd_name
of FD type 4 denied for pid 733, user 400 - no ADMIN right!
Sep 8 03:11:23 Lynx kernel: rsbac_rc_sys_set_item(): changing type_fd_name
of FD type 54 denied for pid 748, user 400 - no ADMIN right!
Sep 8 03:11:26 Lynx kernel: rsbac_rc_sys_set_item(): changing type_fd_name
of FD type 4 denied for pid 763, user 400 - no ADMIN right!
also, what is a recommened setup to protect the shadow file?