[rsbac] log msg
Andrea Pasquinucci
cesare at ucci.it
Wed May 4 11:48:34 CEST 2005
On Wed, May 04, 2005 at 11:17:46AM +0200, Amon Ott wrote:
* On Mittwoch 04 Mai 2005 11:04, Andrea Pasquinucci wrote:
* > On Wed, May 04, 2005 at 10:38:08AM +0200, Amon Ott wrote:
* > * On Mittwoch 04 Mai 2005 10:08, Andrea Pasquinucci wrote:
* > * > I found this message in my log and I would like to unserstand
* what
* > * it
* > * > means (i.e. the 'UNDEFINED'), and if the related request has
* been
* > * denied
* > * > or accepted.
* > * >
* > * > kernel: rsbac_adf_request(): request CHANGE_DAC_FS_GROUP, pid
* 3717,
* > * ppid
* > * > 3674, prog_name su, prog_file /bin/su, uid 500, audit_uid 500,
* > * > target_type PROCESS, tid 3717, attr owner, value 0, result
* UNDEFINED
* > * by
* > * > ADF
* > *
* > * The combination of request and target type is invalid and thus has
* > * been rejected by ADF. Access has not been granted.
* > *
* > * There is a small bug in rsbac/adf/adf_check.c: The #ifdef is
* wrong.
* > * You probably have DAC owner check disabled, but DAC group check
* > * enabled.
* >
* > Uhmm, do you mean this:
* >
* > #
* > # AUTH Policy Options
* > #
* > CONFIG_RSBAC_AUTH_AUTH_PROT=y
* > CONFIG_RSBAC_AUTH_DAC_OWNER=y
* > # CONFIG_RSBAC_AUTH_GROUP is not set
* > CONFIG_RSBAC_AUTH_LEARN=y
* > CONFIG_RSBAC_ACL=y
* >
* > #
* > # Other RSBAC options
* > #
* > CONFIG_RSBAC_SECDEL=y
* > CONFIG_RSBAC_RW=y
* > CONFIG_RSBAC_IPC_SEM=y
* > CONFIG_RSBAC_DAC_OWNER=y
* > CONFIG_RSBAC_DAC_GROUP=y
* >
* > I guess part of the problem is that CONFIG_RSBAC_AUTH_GROUP is not
* set
* > whereas CONFIG_RSBAC_DAC_GROUP=y
*
* Ok, I must reinvestigate. AUTH should never return UNDEFINED, though,
* and your log said that ADF found the mismatch.
*
* Argh, found it. "attr owner" - it must be "attr group". I know that I
* have corrected this bug somewhere in kernel/sys.c. What kernel
* version are you using?
Latest seems to me:
http://fixed.rsbac.mprivacy-update.de/linux-2.6.11-rsbac-v1.2.4-pax-20050412.tar.bz2
--
Andrea Pasquinucci cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F CCBB CB51 2983 6494 0DA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050504/2f75a40f/attachment.bin
More information about the rsbac
mailing list