[rsbac] upgrade to 1.2.5

Andrea Pasquinucci cesare at ucci.it
Fri Nov 18 10:28:54 CET 2005 

I now ask a suggestion, by enabling rsbac_debug_adf_rc I found the 
following:


Fri Nov 18 09:58:09 2005 :<7>0000000069|check_comp_rc_scd(): pid 333 
(udev), owner 0, rc_role 0, scd_type 15, request GET_STATUS_DATA -> 
NOT_GRANTED!
Fri Nov 18 09:58:09 2005 :<6>0000000070|rsbac_adf_request(): request 
GET_STATUS_DATA, pid 333, ppid 4, prog_name udev, prog_file /bin/udev, 
uid 0, target_type SCD, tid sysfs, attr owner, value 0, result 
NOT_GRANTED by RC


Fri Nov 18 09:58:42 2005 :<7>0000000199|check_comp_rc_scd(): pid 2146 
(dmidecode), owner 0, rc_role 999999, scd_type 11, request 
GET_STATUS_DATA -> NOT_GRANTED!
Fri Nov 18 09:58:42 2005 :<6>0000000200|rsbac_adf_request(): request 
GET_STATUS_DATA, pid 2146, ppid 2145, prog_name dmidecode, prog_file 
/usr//sbin/dmidecode, uid 0, target_type SCD, tid kmem, attr none, value 
none, result NOT_GRANTED by RC

(scd_type 15=sysfs, scd_type 11=kmem)

Notice that udev runs with 'rc_role 0=General_User' and I guess that it 
is due to the complicate procedure with which it is started from 
/etc/rc.d/rc.sysinit => /sbin/start_udev => /sbin/udevstart => ... which 
makes it lose the System_Boot role. [On top /bin/udev does not exists, 
it is /sbin/udev ??]


Anyway, for both udev and dmidecode it _seems_ that the error does not 
prevent them to work normally so I was thinking _not_ to allow these 2 
GET_STATUS_DATA. Do you think that it is better that instead I allow 
them?  Thanks

Andrea


PS. in the normal error message, could you add also the 'rc_role' ? It 
is the only info missing.



On Fri, Nov 18, 2005 at 09:06:39AM +0100, Amon Ott wrote:
*
* Please enable rsbac_debug_adf_rc to see all roles and types involved, 
* just add this kernel parameter when booting.
* 
* Amon.
* -- 
* http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
* _______________________________________________
* rsbac mailing list
* rsbac at rsbac.org
* http://www.rsbac.org/mailman/listinfo/rsbac

-- 
--
Andrea Pasquinucci                     cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F  CCBB CB51 2983 6494 0DA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20051118/8aeeac22/attachment.bin

More information about the rsbac mailing list