[rsbac] Strange random errors

Amon Ott ao at rsbac.org
Fri Jun 24 12:23:38 CEST 2005 

On Freitag 24 Juni 2005 11:53, Rafal Bisingier wrote:
> On Fri, Jun 24, 2005 at 10:57:36AM +0200, Amon Ott wrote:
> > On Freitag 24 Juni 2005 10:32, Rafal Bisingier wrote:
> > > I'm using
> > > 
> > 
http://fixed.rsbac.mprivacy-update.de/linux-2.6.11-rsbac-v1.2.4-pax-20050613.tar.bz2
> > > compiled without symlink redirection, but quite offten I obseve
> > > problems running different programs. There are two type of 
errors. 
> > First
> > > ends with plain "memory fault", or "segmetation fault" and a 
program
> > 
> > Do you use RSBAC User Management?
> 
> Yes.

It might be related to that. Does "id -G <username>" work?
 
> > > crash, the second is: "Inconsistency detected by ld.so: rtld.c: 
> > 1075: dl_main:
> > > Assertion `_rtld_local._dl_rtld_map.l_libname' failed!"
> > 
> > Never seen this message before. Does this also happen with PaX 
> > disabled?
> 
> I had to check it, but it never happens with Maintenance kernel.

Only trying to weed out other reasons. Hmm, no idea now.
 
> > > BTW: I tried to use FF module. I wanted to set execute_only flag
> > > on some files, but then on every exec I got an error for READ
> > > request not granted by FF (behaviour of FF module is corect, but 
why 
> > I
> > > need read right to just run a progam?)
> > 
> > All scripts first start the interpreter, which then READs the 
script 
> > to interpret it. execute_only only works for binaries. Please try 
the 
> > file utility, then you will see how many programs are scripts.
> 
> This was a binary file.

Hmm. It should not need to READ itself. Or does it READ something else 
in the dir?
 
> > > One more thing with the FF module (make it a feature request):
> > > I'd like to have FF++ module with rights changed to 2-bits with 
the
> > > meaning:
> > > 0 - no access of this type
> > > 1 - only this type access
> > > 2 - inherit this type right
> > > 3 - grant access of this type
> > > I think this would make FF module much more usefull. ;-)
> > > I would do this myself, but my programing skills are too low :-(
> > > I know there is enough work with 1.2.5 currently, but maybe in 
1.2.6
> > > this could be done... ;-)
> > 
> > Mind making a list of what accesses you would like to see 
controlled 
> > in this way? Default would be 2 for most rights, root dir default 
3.
> 
> Do you mean what flags should be 2bit? READ, WRITE, EXECUTE, SEARCH,
> APPEND, and maybe MOUNT, CREATE and DELETE and metaright FOPEN
> (applicable for dirs only, meaning that files in it can/not be 
opened)
> For all this flags default would be exactly as you said.

This was the list, yes.
 
> BTW: If I change (eg. replace) some file with extra rights set (so 
the
> new file gets default rights) are the RSBAC entries for the romeved 
inode
> also removed? I mean: there is no possibility, that creating a file 
on
> inode which in the past had some extra rights applied will grant 
those
> rights to this new file also? I don't think this can be true, but 
just
> want to check it (I didn't found anything about it in the docs).

If you remove an inode, all associated attributes get removed, too. If 
you only overwrite a file, it is each module's responsibility to act 
accordingly.
 
> BTW2: Who to write to if I'd have some docs updates (even realy 
small
> ones)?

Please ask kang at rsbac.org for a Wiki account and change the docs 
yourself.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list