[rsbac] Losing settings at reboot

Samuli Kärkkäinen skarkkai at woods.iki.fi
Wed Oct 1 23:04:21 MEST 2003 

On Sat, Sep 27, 2003 at 09:24:01PM +0200, Amon Ott wrote:
> Am Sonntag, 28. September 2003 10:56 schrieb Samuli Kärkkäinen:
> > It seems to me that when I reboot the system, not all rsbac settings get
> > always restored properly. For instance currently my secoff user lacks any
> > extra privileges (which I noticed _after_ switching softmode on ...). I'm
> > quite certain I haven't made that change myself. In the beginning of my
> > rsbac experimenting, all or most of the settings were gone after a reboot,
> > but I ignored that as I assumed I somehow caused it myself (which could be
> > true). Could it be that an unclean shutdown could cause this somehow?
> 
> Normally, all RSBAC settings are flushed to disk regularly after each change. 
> If for some reason this saving fails, they are again flush on umount. A hard 
> shutdown without sync can certainly fail to get them saved to disk, or fail 
> to transfer them from ext3 journal to disk.
> 
> Loosing previous attributes, specially predefined attributes like secoff's 
> rights, can only happen if there is a broken attribute file on disk.
> 
> You can check whether the lists have been saved if you look at the dirty flags 
> in /proc/rsbac-info/gen-lists. Please also have a closer look if you get 
> error messages about read problems during RSBAC init.

My shutdowns are partially dirty as the system can't figure out how to
unmount my cryptoloop filesystem upon shutdown. That is like the cause for
rsbac saying "rsbac_do_init(): Forcing consistency check." at boot.
/proc/rsbac-info/gen_lists shows no dirty lists though.

After the boot before the latest one secoff had incorrect default role of a
normal user. I didn't touch that setting, yet at the latest boot, it had the
proper security officer default role again. Seems strangely
nondeterministic.

The rsbac messages at boot seem quite normal, except that I'm not sure if
the following lines are supposed to be there:

kernel: rsbac_do_init(): USER AUTH ACI could not be read - generating standard entries!
kernel: rsbac_do_init(): USER JAIL ACI could not be read - generating standard entries!

But I'll fix the dirty shutdown issue before drawing any further
conclusions.

-- 
  Samuli Kärkkäinen                   |\      _,,,---,,_
 skarkkai at woods.iki.fi ---------ZZZzz /,`.-'`'    -.  ;-;;,_------
http://www.woods.iki.fi              |,4-  ) )-,_. ,\ (  `'-'
                                     '---''(_/--'  `-'\_)

More information about the rsbac mailing list