[rsbac] upgrade to 1.2.5
Andrea Pasquinucci
cesare at ucci.it
Fri Nov 18 10:28:54 CET 2005
I now ask a suggestion, by enabling rsbac_debug_adf_rc I found the
following:
Fri Nov 18 09:58:09 2005 :<7>0000000069|check_comp_rc_scd(): pid 333
(udev), owner 0, rc_role 0, scd_type 15, request GET_STATUS_DATA ->
NOT_GRANTED!
Fri Nov 18 09:58:09 2005 :<6>0000000070|rsbac_adf_request(): request
GET_STATUS_DATA, pid 333, ppid 4, prog_name udev, prog_file /bin/udev,
uid 0, target_type SCD, tid sysfs, attr owner, value 0, result
NOT_GRANTED by RC
Fri Nov 18 09:58:42 2005 :<7>0000000199|check_comp_rc_scd(): pid 2146
(dmidecode), owner 0, rc_role 999999, scd_type 11, request
GET_STATUS_DATA -> NOT_GRANTED!
Fri Nov 18 09:58:42 2005 :<6>0000000200|rsbac_adf_request(): request
GET_STATUS_DATA, pid 2146, ppid 2145, prog_name dmidecode, prog_file
/usr//sbin/dmidecode, uid 0, target_type SCD, tid kmem, attr none, value
none, result NOT_GRANTED by RC
(scd_type 15=sysfs, scd_type 11=kmem)
Notice that udev runs with 'rc_role 0=General_User' and I guess that it
is due to the complicate procedure with which it is started from
/etc/rc.d/rc.sysinit => /sbin/start_udev => /sbin/udevstart => ... which
makes it lose the System_Boot role. [On top /bin/udev does not exists,
it is /sbin/udev ??]
Anyway, for both udev and dmidecode it _seems_ that the error does not
prevent them to work normally so I was thinking _not_ to allow these 2
GET_STATUS_DATA. Do you think that it is better that instead I allow
them? Thanks
Andrea
PS. in the normal error message, could you add also the 'rc_role' ? It
is the only info missing.
On Fri, Nov 18, 2005 at 09:06:39AM +0100, Amon Ott wrote:
*
* Please enable rsbac_debug_adf_rc to see all roles and types involved,
* just add this kernel parameter when booting.
*
* Amon.
* --
* http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
* _______________________________________________
* rsbac mailing list
* rsbac at rsbac.org
* http://www.rsbac.org/mailman/listinfo/rsbac
--
--
Andrea Pasquinucci cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F CCBB CB51 2983 6494 0DA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20051118/8aeeac22/attachment.bin
More information about the rsbac
mailing list