[rsbac] granting syslog-ng the right to access /proc/rsbac-info/rmsg

sftf at yandex.ru sftf at yandex.ru
Thu Jul 19 12:09:32 CEST 2007


Try
  attr_set_user FF root ff_role 3
  attr_set_user AUTH root auth_role 3

In previous post I mixed up ACL and AUTH modules, sorry.
SS> Hm, however if I change root's roles to auditor he isn't Administrator any more.
SS> Does that remove any rights that root might have? I can't find any documentation
SS> about AUTH and FF roles anywhere so I don't know what they do. I also couldn't
SS> find out where or if you can define your own roles or anything like that. I just
SS> know where to set them.

SS> Thanks a lot,
SS> Sven

SS> Amon Ott schrieb:
>> On Wednesday 18 July 2007 09:34, Sven Seeland wrote:
>>>> Your "start a seperate syslog under secoff credentials" is WRONG
>>>> IDEA! In properly configured RSBAC no daemons must run with
>>>> secoff privileges. You should use RC model and should create role
>>>> for init and grant appropriate premissions to this role.
>>> that's my thinking exactly. However, running syslog-ng under secoff
>>> credentials is the way it is officially documented on the RSBAC
>>> website
>>> (http://www.rsbac.org/documentation/rsbac_handbook/configuration_ba
>>> sics/administration_examples/syslog-ng)
>>>
>>> And if I just have syslog-ng (which has it's own RC role, by the
>>> way) access /proc/rsbac-info/rmsg I get errors from RC, AUTH *and*
>>> FF. Now, fixing the RC part is easy. But how do I fix AUTH and FF?
>>> I couldn't figure it out for the life of me.
>> 
>> AUTH and FF have hardcoded protection for RSBAC log. You can change
>> root's FF and AUTH roles to auditor, this is the designated role and
>> does not grant further rights.
>> 
>> Amon.
SS> _______________________________________________
SS> rsbac mailing list
SS> rsbac at rsbac.org
SS> http://www.rsbac.org/mailman/listinfo/rsbac




More information about the rsbac mailing list