[rsbac] log msg
Amon Ott
ao at rsbac.org
Wed May 4 11:17:46 CEST 2005
On Mittwoch 04 Mai 2005 11:04, Andrea Pasquinucci wrote:
> On Wed, May 04, 2005 at 10:38:08AM +0200, Amon Ott wrote:
> * On Mittwoch 04 Mai 2005 10:08, Andrea Pasquinucci wrote:
> * > I found this message in my log and I would like to unserstand
what
> * it
> * > means (i.e. the 'UNDEFINED'), and if the related request has
been
> * denied
> * > or accepted.
> * >
> * > kernel: rsbac_adf_request(): request CHANGE_DAC_FS_GROUP, pid
3717,
> * ppid
> * > 3674, prog_name su, prog_file /bin/su, uid 500, audit_uid 500,
> * > target_type PROCESS, tid 3717, attr owner, value 0, result
UNDEFINED
> * by
> * > ADF
> *
> * The combination of request and target type is invalid and thus has
> * been rejected by ADF. Access has not been granted.
> *
> * There is a small bug in rsbac/adf/adf_check.c: The #ifdef is
wrong.
> * You probably have DAC owner check disabled, but DAC group check
> * enabled.
>
> Uhmm, do you mean this:
>
> #
> # AUTH Policy Options
> #
> CONFIG_RSBAC_AUTH_AUTH_PROT=y
> CONFIG_RSBAC_AUTH_DAC_OWNER=y
> # CONFIG_RSBAC_AUTH_GROUP is not set
> CONFIG_RSBAC_AUTH_LEARN=y
> CONFIG_RSBAC_ACL=y
>
> #
> # Other RSBAC options
> #
> CONFIG_RSBAC_SECDEL=y
> CONFIG_RSBAC_RW=y
> CONFIG_RSBAC_IPC_SEM=y
> CONFIG_RSBAC_DAC_OWNER=y
> CONFIG_RSBAC_DAC_GROUP=y
>
> I guess part of the problem is that CONFIG_RSBAC_AUTH_GROUP is not
set
> whereas CONFIG_RSBAC_DAC_GROUP=y
Ok, I must reinvestigate. AUTH should never return UNDEFINED, though,
and your log said that ADF found the mismatch.
Argh, found it. "attr owner" - it must be "attr group". I know that I
have corrected this bug somewhere in kernel/sys.c. What kernel
version are you using?
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list