[rsbac] log msg
Andrea Pasquinucci
cesare at ucci.it
Wed May 4 11:04:47 CEST 2005
On Wed, May 04, 2005 at 10:38:08AM +0200, Amon Ott wrote:
* On Mittwoch 04 Mai 2005 10:08, Andrea Pasquinucci wrote:
* > I found this message in my log and I would like to unserstand what
* it
* > means (i.e. the 'UNDEFINED'), and if the related request has been
* denied
* > or accepted.
* >
* > kernel: rsbac_adf_request(): request CHANGE_DAC_FS_GROUP, pid 3717,
* ppid
* > 3674, prog_name su, prog_file /bin/su, uid 500, audit_uid 500,
* > target_type PROCESS, tid 3717, attr owner, value 0, result UNDEFINED
* by
* > ADF
*
* The combination of request and target type is invalid and thus has
* been rejected by ADF. Access has not been granted.
*
* There is a small bug in rsbac/adf/adf_check.c: The #ifdef is wrong.
* You probably have DAC owner check disabled, but DAC group check
* enabled.
Uhmm, do you mean this:
#
# AUTH Policy Options
#
CONFIG_RSBAC_AUTH_AUTH_PROT=y
CONFIG_RSBAC_AUTH_DAC_OWNER=y
# CONFIG_RSBAC_AUTH_GROUP is not set
CONFIG_RSBAC_AUTH_LEARN=y
CONFIG_RSBAC_ACL=y
#
# Other RSBAC options
#
CONFIG_RSBAC_SECDEL=y
CONFIG_RSBAC_RW=y
CONFIG_RSBAC_IPC_SEM=y
CONFIG_RSBAC_DAC_OWNER=y
CONFIG_RSBAC_DAC_GROUP=y
I guess part of the problem is that CONFIG_RSBAC_AUTH_GROUP is not set
whereas CONFIG_RSBAC_DAC_GROUP=y
Andrea
*
* Bugfix is attached.
*
* Amon.
* --
* http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
--
Andrea Pasquinucci cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F CCBB CB51 2983 6494 0DA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050504/bab395b0/attachment.bin
More information about the rsbac
mailing list