[rsbac] Can't manage to authorize IPC RECEIVE in RC module

Colin Pitrat colin.pitrat at bull.net
Tue Nov 28 15:10:39 CET 2006


I answered too fast. I now have another problem. I get the following line :
check_comp_rc(): pid 30144 (ls), owner 0, rc_role 0, PROCESS rc_type 5, 
request SEND -> NOT_GRANTED!

which is really strange as there is no process type 5 :

# rc_get_item list_process_types
0 General_Process
1 Security_Proc
2 System_Process
999999 Kernel_Process

Colin Pitrat (Bull Services Telco)
Bull,  Architect of an Open World (TM)
Tél : +33 (0)  1 30 80 72 93
www.bull.com


Colin Pitrat wrote:
> 
> Thanks, the debug_adf_rc tip is really helpful ! I didn't knew it.
> Thanks to it, I managed to make it work.
> 
> Colin Pitrat (Bull Services Telco)
> Bull,  Architect of an Open World (TM)
> Tél : +33 (0)  1 30 80 72 93
> www.bull.com
> 
> 
> Amon Ott wrote:
>> On Dienstag 28 November 2006 12:14, Colin Pitrat wrote:
>>> I'm currently running in softmode with rsbac 1.3.0, and I get the 
>>> following line in /var/log/messages.log :
>>>
>>> rsbac_adf_request(): request RECEIVE, pid 1820, ppid 1, prog_name 
>>> syslog-ng, prog_file /usr/sbin/syslog-ng, uid 0, target_type IPC, 
>> tid
>>> AnonUnix-ID 29332, attr process, value 21770, result NOT_GRANTED 
>>> (Softmode) by RC
>>>
>>> I tried to set RECEIVE for the IPC type I supposed to be concerned 
>> for
>>> the supposed role, but it didn't work. So I tried to turn it on for 
>>> every IPC type for every role (yeah I know, but I'm just testing for 
>> now
>>> ;) ) and it still doesn't work. What did I do wrong ?
>>
>> Did you enable partner process checking in kernel config?
>> "RC check access to UNIX partner process".
>> If yes, there is an additional check against the partner process RC type.
>>
>> Please enable RC debugging as secoff with
>> echo debug_adf_rc 1 >/proc/rsbac-info/debug
>> to see which roles and types are involved. You can also use 
>> rsbac_debug_adf_rc kernel parameter.
>>
>> Amon.
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
-------------- next part --------------
A non-text attachment was scrubbed...
Name: colin.pitrat.vcf
Type: text/x-vcard
Size: 247 bytes
Desc: not available
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20061128/464df4e0/attachment.vcf 


More information about the rsbac mailing list