[rsbac] Re: Missing CAPs are not logged

Thomas Mueller news-exp-jul05 at tmueller.com
Tue Jan 25 17:51:34 CET 2005


Amon Ott wrote:

>> Is it hard to patch the kernel so that missing CAPs are logged by 
>> RSBAC?
> 
>> If the program that needs more CAPs doesn't output a useful error 
>> message it is very hard to find out what's missing.
> 
> It is either simple (change the capable() function), but produces
> tons of output and is thus useless,

That means you expect that (lot of) programs try to do things they have 
no capabilities for but work nonetheless?

> or it requires patches to all functions that check capabilities, what
> is a real lot of work and almost impossible to maintain.
> 
> We can give the first option a try, though.
> 
> But, again: The normal reason why a program only works in softmode, 
> but does not produce RSBAC logging, are missing CAPs in the max_caps
> value.

Yes but you still have to find out what is missing. Setting max_caps to 
1..1 is not the best solution from a security point of view I guess :-)


Thonas



More information about the rsbac mailing list