[rsbac] granting syslog-ng the right to access /proc/rsbac-info/rmsg
Amon Ott
ao at rsbac.org
Wed Jul 18 09:54:20 CEST 2007
On Wednesday 18 July 2007 09:34, Sven Seeland wrote:
> > Your "start a seperate syslog under secoff credentials" is WRONG
> > IDEA! In properly configured RSBAC no daemons must run with
> > secoff privileges. You should use RC model and should create role
> > for init and grant appropriate premissions to this role.
>
> that's my thinking exactly. However, running syslog-ng under secoff
> credentials is the way it is officially documented on the RSBAC
> website
> (http://www.rsbac.org/documentation/rsbac_handbook/configuration_ba
>sics/administration_examples/syslog-ng)
>
> And if I just have syslog-ng (which has it's own RC role, by the
> way) access /proc/rsbac-info/rmsg I get errors from RC, AUTH *and*
> FF. Now, fixing the RC part is easy. But how do I fix AUTH and FF?
> I couldn't figure it out for the life of me.
AUTH and FF have hardcoded protection for RSBAC log. You can change
root's FF and AUTH roles to auditor, this is the designated role and
does not grant further rights.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list