[rsbac] log msg

Andrea Pasquinucci cesare at ucci.it
Wed May 4 11:48:34 CEST 2005 

On Wed, May 04, 2005 at 11:17:46AM +0200, Amon Ott wrote:
* On Mittwoch 04 Mai 2005 11:04, Andrea Pasquinucci wrote:
* > On Wed, May 04, 2005 at 10:38:08AM +0200, Amon Ott wrote:
* > * On Mittwoch 04 Mai 2005 10:08, Andrea Pasquinucci wrote:
* > * > I found this message in my log and I would like to unserstand 
* what 
* > * it 
* > * > means (i.e. the 'UNDEFINED'), and if the related request has 
* been 
* > * denied 
* > * > or accepted.
* > * > 
* > * > kernel: rsbac_adf_request(): request CHANGE_DAC_FS_GROUP, pid 
* 3717, 
* > * ppid 
* > * > 3674, prog_name su, prog_file /bin/su, uid 500, audit_uid 500, 
* > * > target_type PROCESS, tid 3717, attr owner, value 0, result 
* UNDEFINED 
* > * by 
* > * > ADF
* > * 
* > * The combination of request and target type is invalid and thus has 
* > * been rejected by ADF. Access has not been granted.
* > * 
* > * There is a small bug in rsbac/adf/adf_check.c: The #ifdef is 
* wrong. 
* > * You probably have DAC owner check disabled, but DAC group check 
* > * enabled.
* > 
* > Uhmm, do you mean this:
* > 
* > #
* > # AUTH Policy Options
* > #
* > CONFIG_RSBAC_AUTH_AUTH_PROT=y
* > CONFIG_RSBAC_AUTH_DAC_OWNER=y
* > # CONFIG_RSBAC_AUTH_GROUP is not set
* > CONFIG_RSBAC_AUTH_LEARN=y
* > CONFIG_RSBAC_ACL=y
* > 
* > #
* > # Other RSBAC options
* > #
* > CONFIG_RSBAC_SECDEL=y
* > CONFIG_RSBAC_RW=y
* > CONFIG_RSBAC_IPC_SEM=y
* > CONFIG_RSBAC_DAC_OWNER=y
* > CONFIG_RSBAC_DAC_GROUP=y
* > 
* > I guess part of the problem is that CONFIG_RSBAC_AUTH_GROUP is not 
* set 
* > whereas CONFIG_RSBAC_DAC_GROUP=y 
* 
* Ok, I must reinvestigate. AUTH should never return UNDEFINED, though, 
* and your log said that ADF found the mismatch.
* 
* Argh, found it. "attr owner" - it must be "attr group". I know that I 
* have corrected this bug somewhere in kernel/sys.c. What kernel 
* version are you using?

Latest seems to me:

http://fixed.rsbac.mprivacy-update.de/linux-2.6.11-rsbac-v1.2.4-pax-20050412.tar.bz2

--
Andrea Pasquinucci                     cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F  CCBB CB51 2983 6494 0DA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050504/2f75a40f/attachment.bin

More information about the rsbac mailing list