[rsbac] Process targets behaving strangely

Evan Speltz saturn at nameless.mine.nu
Sun Sep 10 03:48:26 CEST 2006


On Sat, 2006-09-09 at 08:38 +0200, Amon Ott wrote:
> On Freitag 08 September 2006 23:45, Evan Speltz wrote:
> > I have a role with def_process_create_type and 
> def_process_execute_type
> > set to a type which is not 0. However when I try to run a program in
> > this role, I get this message:
> > 
> > rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 9106, ppid 
> 6995,
> > prog_name bash, prog_file /bin/bash, uid 1001, remote ip 
> 192.168.0.19,
> > target_type PROCESS, tid 9106, attr none, value none, result 
> NOT_GRANTED
> > by RC
> > 
> > The only way to make it work is to allow MODIFY_SYSTEM_DATA for 
> process
> > type 0, even though none of processes in question are of type 0 (I 
> have
> > checked to make sure of that). What is happening?
> 
> Can you please enable debug_adf_rc, e.g. as user 400
> echo "debug_adf_rc 1" >/proc/rsbac-info/debug
> and retry? It will show the roles and types involved.
> 
> Amon.

Sure.

Sat Sep  9 20:43:19 2006 :<7>0000000083|check_comp_rc(): pid 1771
(bash), owner 1001, rc_role 200, PROCESS rc_type 0, request
MODIFY_SYSTEM_DATA -> NOT_GRANTED!
Sat Sep  9 20:43:19 2006 :<6>0000000084|rsbac_adf_request(): request
MODIFY_SYSTEM_DATA, pid 1771, ppid 1770, prog_name bash,
prog_file /bin/bash, uid 1001, remote ip 192.168.0.19, target_type
PROCESS, tid 1809, attr none, value none, result NOT_GRANTED by RC

However, when I look at the process from rsbac_menu, it is type 8, as it
should be.



More information about the rsbac mailing list