[rsbac] Re: secoff can't change anything
Amon Ott
ao at rsbac.org
Wed Apr 14 16:28:29 CEST 2004
On Donnerstag, 8. April 2004 11:20, Thomas Mueller wrote:
> On Thu, 08 Apr 2004 08:52:10 +0200 Amon Ott wrote:
>
> >> I've uploaded my kernel config and rsbac
> >> settings to http://www.tmueller.com/rsbac.tgz if that helps.
> >
> > Your settings seem to be correct.
> >
> > Can you please retry with rsbac_debug_adf_rc? You can use this as
kernel
> > aparameter, or
> > echo debug_adf_rc 1 >/proc/rsbac-info/debug
> > I would like to see whether the current role is set correctly.
>
> Not too much output:
>
> Apr 8 11:15:46 geht-schon kernel: debug_proc_write(): setting
rsbac_debug_adf_rc to 1
> Apr 8 11:16:03 geht-schon kernel: check_comp_rc(): rc_role is 5, rc_type
is 4, request is MODIFY_ATTRIBUTE -> NOT_GRANTED!
> Apr 8 11:16:03 geht-schon kernel: rsbac_adf_request(): request
> MODIFY_ATTRIBUTE, pid 8333, ppid 8331, prog_name attr_set_file_d, uid
400,
> target_type FILE, tid Device 03:05 Inode 64647 Path /bin/login, attr
> rc_force_role, value 5, result NOT_GRANTED by GEN RC
I think I can see the puzzle: You set force_role for /bin/login to 5, so
when secoff logs in, the role 5 is kept. Please reset the force_role
setting to inherit_parent_dir and set initial_role to 5.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list