[rsbac] Strange random errors

Rafal Bisingier ravbc at man.poznan.pl
Fri Jun 24 11:53:49 CEST 2005 

On Fri, Jun 24, 2005 at 10:57:36AM +0200, Amon Ott wrote:
> On Freitag 24 Juni 2005 10:32, Rafal Bisingier wrote:
> > I'm using
> > 
> http://fixed.rsbac.mprivacy-update.de/linux-2.6.11-rsbac-v1.2.4-pax-20050613.tar.bz2
> > compiled without symlink redirection, but quite offten I obseve
> > problems running different programs. There are two type of errors. 
> First
> > ends with plain "memory fault", or "segmetation fault" and a program
> 
> Do you use RSBAC User Management?

Yes.

> > crash, the second is: "Inconsistency detected by ld.so: rtld.c: 
> 1075: dl_main:
> > Assertion `_rtld_local._dl_rtld_map.l_libname' failed!"
> 
> Never seen this message before. Does this also happen with PaX 
> disabled?

I had to check it, but it never happens with Maintenance kernel.

> > BTW: I tried to use FF module. I wanted to set execute_only flag
> > on some files, but then on every exec I got an error for READ
> > request not granted by FF (behaviour of FF module is corect, but why 
> I
> > need read right to just run a progam?)
> 
> All scripts first start the interpreter, which then READs the script 
> to interpret it. execute_only only works for binaries. Please try the 
> file utility, then you will see how many programs are scripts.

This was a binary file.

> > One more thing with the FF module (make it a feature request):
> > I'd like to have FF++ module with rights changed to 2-bits with the
> > meaning:
> > 0 - no access of this type
> > 1 - only this type access
> > 2 - inherit this type right
> > 3 - grant access of this type
> > I think this would make FF module much more usefull. ;-)
> > I would do this myself, but my programing skills are too low :-(
> > I know there is enough work with 1.2.5 currently, but maybe in 1.2.6
> > this could be done... ;-)
> 
> Mind making a list of what accesses you would like to see controlled 
> in this way? Default would be 2 for most rights, root dir default 3.

Do you mean what flags should be 2bit? READ, WRITE, EXECUTE, SEARCH,
APPEND, and maybe MOUNT, CREATE and DELETE and metaright FOPEN
(applicable for dirs only, meaning that files in it can/not be opened)
For all this flags default would be exactly as you said.

FF this way can be used to globally control for example execution
without the need for identyfing scripts, and (with flags set on dirs)
without probles on programs updates (no inode change).

BTW: If I change (eg. replace) some file with extra rights set (so the
new file gets default rights) are the RSBAC entries for the romeved inode
also removed? I mean: there is no possibility, that creating a file on
inode which in the past had some extra rights applied will grant those
rights to this new file also? I don't think this can be true, but just
want to check it (I didn't found anything about it in the docs).

BTW2: Who to write to if I'd have some docs updates (even realy small
ones)?

-- 
Rafal Bisingier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050624/2fed62b1/attachment.bin

More information about the rsbac mailing list