[rsbac] Kernel 2.4.27 + RSBAC 1.2.3 Problem

Amon Ott ao at rsbac.org
Tue Nov 23 14:28:08 CET 2004 

On Dienstag, 23. November 2004 13:40, Patrique Wolfrum wrote:
> thank you for the quick reply.
> 
> >This is linux-2.4.27-rsbac-v1.2.3-bf7.tar.bz2, right?
> >  
> >
> Correct.

So the bugfix against dev 00:00 has been applied. Hmm.
 
> >new request/target combination, GET_STATUS_DATA on NETOBJ. Could 
you 
> >try v1.2.4-pre3 on this system? You can disable RSBAC writing to 
disk 
> >to make sure nothing of your setup gets overwritten.
> 
> I compiled linux-2.4.27-rsbac-v1.2.4-pre3 and the according 
> rsbac-admintools (I installed them this time in /opt/rsbac-1.2.4 in 
> order to not disrupt my working rsbac-1.2.2-admintool installation 
> (installed in /usr/local/)). For booting I used the kernel 
parameters 
> 'rsbac_debug_no_write' and 'rsbac_softmode' (it would boot correctly 
> without softmode). After some error messages it booted, and I was 
able 
> to login. After starting rsbac_menu I saw, that it was unable to 
read 
> any RC role and RC FD we have installed on the system (both lists 
were 
> empty and I was asked about an initial role).

As your tools in the correct version are not in the path coded into 
rsbac_menu etc., you need to
export RSBACPATH=/opt/rsbac-1.2.4
before starting a menu. The path given here will be prepended to the 
command line tool calls.

Without this setting, the v1.2.2 tools will be used - and those will 
not produce usable output.
 
> In the first boot (without softmode) the following error messages 
were 
> written:
> 
> Nov 23 13:09:34 pille kernel: ]: rsbac_adf_set_attr() returned 
error!
> Nov 23 13:09:34 pille kernel: rsbac_adf_request_rc(): invalid type 
> use_new_role_def_create in def_process_create_type of role 2!
> Nov 23 13:09:34 pille kernel: rsbac_adf_request(): request CLONE, 
pid 
> 454, ppid 443, prog_name usb.agent, uid 0, audit_uid 0, target_type 
> PROCESS, tid 454, attr none, value 0, result NOT_GRANTED (Softmode) 
by RC

This is OK, the def_process_create_value defaulted to a meaningless 
value before v1.2.3. Just change it to inherit_process, which is 
internally used in this error case.

> Nov 23 13:12:39 pille kernel: rsbac_adf_request(): request 
> MODIFY_SYSTEM_DATA, pid 1613, ppid 1602, prog_name bash, uid 0, 
> audit_uid 0, target_type PROCESS, tid 1939, attr kernel_thread, 
value 0, 
> result NOT_GRANTED (Softmode) by ACL
> Nov 23 13:12:39 pille kernel: rsbac_adf_request(): request 
> MODIFY_SYSTEM_DATA, pid 1939, ppid 1613, prog_name bash, uid 0, 
> audit_uid 0, target_type PROCESS, tid 1939, attr kernel_thread, 
value 0, 
> result NOT_GRANTED (Softmode) by ACL

This is a new request (see 
http://www.rsbac.org/documentation/upgrading.php#v1.2.3).
 
> After rebooting with RSBAC 1.2.2 everything works fine again.

Good.
 
> Is there an explanation, why RSBAC 1.2.4 (RSBAC 1.2.3 showed the 
same 
> behaviour) isn't able to read the previous configuration ?

I am quite sure it did read the configuration. Please also 
check /proc/rsbac-info/stats and .../stats_rc.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname   : nicht verf?gbar
Dateityp    : application/pgp-signature
Dateigr??e  : 189 bytes
Beschreibung: signature
URL         : http://www.rsbac.org/pipermail/rsbac/attachments/20041123/fa49c349/attachment.bin

More information about the rsbac mailing list