[rsbac] granting syslog-ng the right to access /proc/rsbac-info/rmsg

sftf at yandex.ru sftf at yandex.ru
Wed Jul 18 10:30:48 CEST 2007


<6>0000036345|rsbac_adf_request(): request GET_STATUS_DATA, pid 2218, ppid 1,
prog_name syslog-ng, prog_file /usr/sbin/syslog-ng, uid 0, audit uid 400, remote 
ip 192.168.11.3, target_type SCD, tid rsbac_log, attr none, value none, result 
NOT_GRANTED (Softmode) by FF AUTH

Grant to root user (uid 0! not audit uid 400) GET_STATUS_DATA
permission to SCD rsbac_log, similar to:
for ACL module:
acl_grant -v -s USER root GET_STATUS_DATA SCD rsbac_log

for FF I don't remember, maybe:
attr_set_file_dir FF SCD bla-bla-bla....

>> Your "start a seperate syslog under secoff credentials" is WRONG IDEA!
>> In properly configured RSBAC no daemons must run with secoff privileges.
>> You should use RC model and should create role for init and grant
>> appropriate premissions to this role.

SS> that's my thinking exactly. However, running syslog-ng under
SS> secoff credentials is the way it is officially documented on the
SS> RSBAC website
SS> (http://www.rsbac.org/documentation/rsbac_handbook/configuration_basics/administration_examples/syslog-ng)

SS> And if I just have syslog-ng (which has it's own RC role, by
SS> the way) access /proc/rsbac-info/rmsg I get errors from RC, AUTH
SS> *and* FF. Now, fixing the RC part is easy. But how do I fix AUTH
SS> and FF? I couldn't figure it out for the life of me.

SS> Greetings,
SS> Sven Seeland




More information about the rsbac mailing list