[rsbac] Problems upgrading from 1.2.0 to 1.2.2

Amon Ott ao at rsbac.org
Wed Nov 19 08:54:32 CET 2003 

On Dienstag, 18. November 2003 20:48, Pontus Lidman wrote:
> I have a working RSBAC 1.2.0 installation running on Linux kernel
> 2.4.18. I'd like to upgrade, so I compiled kernel 2.4.22 with RSBAC
> 1.2.2. When I boot this, it seems that the RC module is very reluctant
> to allow some kinds of access, like this:
> 
> rsbac_adf_request(): request GET_STATUS_DATA, pid 173, ppid 1, prog_name rc, 
uid
>  0, target_type PROCESS, tid 173, attr , value 0, result NOT_GRANTED by RC
> rsbac_adf_request(): request GET_STATUS_DATA, pid 191, ppid 185, prog_name 
nis, 
> uid 0, target_type PROCESS, tid 191, attr , value 0, result NOT_GRANTED by 
RC
> rsbac_adf_request(): request GET_STATUS_DATA, pid 193, ppid 185, prog_name 
setse
> rial, uid 0, target_type PROCESS, tid 193, attr , value 0, result 
NOT_GRANTED by
>  RC
> rsbac_adf_request(): request GET_STATUS_DATA, pid 202, ppid 201, prog_name 
pidof
> , uid 0, target_type PROCESS, tid 1, attr , value 0, result NOT_GRANTED by 
RC
> rsbac_adf_request(): request GET_STATUS_DATA, pid 231, ppid 230, prog_name 
start
> -stop-daem, uid 0, target_type PROCESS, tid 2, attr , value 0, result 
NOT_GRANTE
> D by RC
> 
> These are just a few examples, it seems like no one is allowed to
> GET_STATUS_DATA. If I boot back into 2.4.18+1.2.0, things work
> smoothly again, so I don't think anything has been corrupted on disk.
> 
> RSBAC-related kernel configuration options I used follow below. I'm
> grateful for any advice on how to upgrade successfully.

The GET_STATUS_DATA request for PROCESS targets has been added after 1.2.0 to 
allow hiding of process info, so you will have to add this right to most 
roles. If you start with role 2 (sysadm), it will be easier. Everything else 
should be upgraded automatically.

In general, boot into 1.2.2 with softmode enabled to get up and running, then 
grant the right where appropiate. If you still have these messages, although 
the system has sufficient rights to run smoothly, you can turn them off via 
rsbac_menu, Logging, GET_STATUS_DATA, PROCESS. Also, rsbac_debug_adf_rc will 
help to identify the roles and types involved.

To get back to your old behaviour, you can try the following as secoff:

#!/bin/bash
alltypes=$(rc_get_item list_process_type_nr)
for role in $(rc_get_item list_role_nr)
do
  for type in $alltypes
  do
    rc_set_item -a -v ROLE $role type_comp_process $type GET_STATUS_DATA
  done
done

The most important part is the -a to only add the right - otherwise you will 
end with GET_STATUS_DATA only, what will give you a lot of trouble.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list