[rsbac] SEARCH request on DEV target ¿?
Javier Martínez
tazok.id0 at gmail.com
Thu Jul 26 18:22:56 CEST 2007
Hi, I saw this error before Init runs:
0000000100|check_comp_rc(): pid 1051 (tty), owner 0,
rc_role 999999, DEV rc_type 0, request SEARCH -> NOT_GRANTED!
0000000101|rsbac_adf_request(): request SEARCH, pid
1051, ppid 1000, prog_name tty, prog_file /bin/tty, uid 0, target_type DEV, tid
char 07:149, attr none, value none, result NOT_GRANTED (Softmode) by RC
Message repeats with devices "char 07:149", char 03:243, char 02:172,
chat 01:07 between others...
The strange is that it does an search request on a DEV target that
AFAIK doesn't exist as request per se. The values of the rc_type /dev
FD stills inherited from parent and the DEV one is of type
GENERAL_DEVICE (defaults). The privileges granted to role 999999 for
this DEV type are the following (the default):
ADD_TO_KERNEL
APPEND_OPEN
CLOSE
GET_PERMISSIONS_DATA
GET_STATUS_DATA
MODIFY_PERMISSIONS_DATA
MODIFY_SYSTEM_DATA
MOUNT
READ
READ_ATTRIBUTE
READ_WRITE_OPEN
READ_OPEN
REMOVE_FROM_KERNEL
UMOUNT
WRITE
WRITE_OPEN
SEND
IOCTL
The rsbac version and admin tools are 1.3.4 following the rsbac
section of .config is this:
#
# Rule Set Based Access Control (RSBAC)
#
CONFIG_RSBAC=y
#
# General RSBAC options
#
CONFIG_RSBAC_INIT_THREAD=y
CONFIG_RSBAC_MAX_INIT_TIME=60
CONFIG_RSBAC_PROC=y
CONFIG_RSBAC_INIT_CHECK=y
# CONFIG_RSBAC_NO_WRITE is not set
# CONFIG_RSBAC_MSDOS_WRITE is not set
CONFIG_RSBAC_AUTO_WRITE=5
CONFIG_RSBAC_LIST_MAX_HASHES=128
CONFIG_RSBAC_LIST_CHECK_INTERVAL=1800
CONFIG_RSBAC_LIST_TRANS=y
CONFIG_RSBAC_LIST_TRANS_MAX_TTL=3600
CONFIG_RSBAC_LIST_TRANS_RANDOM_TA=y
# CONFIG_RSBAC_FD_CACHE is not set
CONFIG_RSBAC_DEBUG=y
# CONFIG_RSBAC_DEV_USER_BACKUP is not set
CONFIG_RSBAC_SECOFF_UID=666
# CONFIG_RSBAC_INIT_DELAY is not set
CONFIG_RSBAC_GEN_NR_P_LISTS=4
#
# User Management
#
CONFIG_RSBAC_UM=y
CONFIG_RSBAC_UM_DIGEST=y
CONFIG_RSBAC_UM_USER_MIN=2000
CONFIG_RSBAC_UM_GROUP_MIN=2000
# CONFIG_RSBAC_UM_EXCL is not set
CONFIG_RSBAC_UM_MIN_PASS_LEN=6
CONFIG_RSBAC_UM_NON_ALPHA=y
CONFIG_RSBAC_UM_PWHISTORY=y
CONFIG_RSBAC_UM_PWHISTORY_MAX=8
#
# RSBAC networking options
#
CONFIG_RSBAC_NET=y
CONFIG_RSBAC_NET_DEV=y
# CONFIG_RSBAC_NET_DEV_VIRT is not set
CONFIG_RSBAC_IND_NETDEV_LOG=y
CONFIG_RSBAC_NET_OBJ=y
# CONFIG_RSBAC_NET_OBJ_RW is not set
CONFIG_RSBAC_IND_NETOBJ_LOG=y
#
# -------------------------
#
# CONFIG_RSBAC_MAINT is not set
#
# -------------------------
#
#
# Decision module (policy) options
#
# CONFIG_RSBAC_REG is not set
#
# -------------------------
#
CONFIG_RSBAC_AUTH=y
#
# AUTH Policy Options
#
CONFIG_RSBAC_AUTH_AUTH_PROT=y
CONFIG_RSBAC_AUTH_OTHER_PROT=y
CONFIG_RSBAC_AUTH_UM_PROT=y
CONFIG_RSBAC_AUTH_DAC_OWNER=y
# CONFIG_RSBAC_AUTH_ALLOW_SAME is not set
CONFIG_RSBAC_AUTH_GROUP=y
CONFIG_RSBAC_AUTH_DAC_GROUP=y
CONFIG_RSBAC_AUTH_LEARN=y
CONFIG_RSBAC_RC=y
#
# RC Policy Options
#
CONFIG_RSBAC_RC_AUTH_PROT=y
CONFIG_RSBAC_RC_UM_PROT=y
CONFIG_RSBAC_RC_GEN_PROT=y
# CONFIG_RSBAC_RC_BACKUP is not set
CONFIG_RSBAC_RC_NET_DEV_PROT=y
CONFIG_RSBAC_RC_NET_OBJ_PROT=y
CONFIG_RSBAC_RC_NET_OBJ_UNIX_PROCESS=y
CONFIG_RSBAC_RC_NR_P_LISTS=8
CONFIG_RSBAC_RC_KERNEL_PROCESS_TYPE=999999
# CONFIG_RSBAC_ACL is not set
# CONFIG_RSBAC_MAC is not set
CONFIG_RSBAC_PAX=y
#
# PAX Policy Options
#
CONFIG_RSBAC_PAX_DEFAULT=y
CONFIG_RSBAC_PAX_PAGEEXEC=y
# CONFIG_RSBAC_PAX_EMUTRAMP is not set
CONFIG_RSBAC_PAX_MPROTECT=y
CONFIG_RSBAC_PAX_RANDMMAP=y
CONFIG_RSBAC_PAX_RANDEXEC=y
CONFIG_RSBAC_PAX_SEGMEXEC=y
# CONFIG_RSBAC_DAZ is not set
CONFIG_RSBAC_CAP=y
#
# CAP Policy Options
#
CONFIG_RSBAC_CAP_PROC_HIDE=y
CONFIG_RSBAC_CAP_AUTH_PROT=y
CONFIG_RSBAC_CAP_LOG_MISSING=y
CONFIG_RSBAC_JAIL=y
#
# JAIL Policy Options
#
CONFIG_RSBAC_JAIL_NET_ADJUST=y
CONFIG_RSBAC_JAIL_NET_DEV_PROT=y
CONFIG_RSBAC_JAIL_NR_P_LISTS=4
CONFIG_RSBAC_JAIL_LOG_MISSING=y
CONFIG_RSBAC_RES=y
# CONFIG_RSBAC_FF is not set
# CONFIG_RSBAC_PM is not set
#
# ----------------
#
#
# Softmode and switching
#
CONFIG_RSBAC_SOFTMODE=y
# CONFIG_RSBAC_SOFTMODE_SYSRQ is not set
CONFIG_RSBAC_SOFTMODE_IND=y
CONFIG_RSBAC_SWITCH=y
CONFIG_RSBAC_SWITCH_ON=y
CONFIG_RSBAC_SWITCH_AUTH=y
CONFIG_RSBAC_SWITCH_RC=y
CONFIG_RSBAC_SWITCH_PAX=y
CONFIG_RSBAC_SWITCH_CAP=y
CONFIG_RSBAC_SWITCH_JAIL=y
CONFIG_RSBAC_SWITCH_RES=y
#
# Logging
#
CONFIG_RSBAC_IND_LOG=y
CONFIG_RSBAC_IND_USER_LOG=y
CONFIG_RSBAC_IND_PROG_LOG=y
CONFIG_RSBAC_LOG_PROGRAM_FILE=y
CONFIG_RSBAC_LOG_FULL_PATH=y
CONFIG_RSBAC_MAX_PATH_LEN=512
# CONFIG_RSBAC_LOG_PSEUDO is not set
CONFIG_RSBAC_SYSLOG_RATE=y
CONFIG_RSBAC_SYSLOG_RATE_DEF=1000
CONFIG_RSBAC_RMSG=y
CONFIG_RSBAC_RMSG_MAXENTRIES=200
CONFIG_RSBAC_RMSG_NOSYSLOG=y
#
# ----------------
#
# CONFIG_RSBAC_LOG_REMOTE is not set
CONFIG_RSBAC_SYM_REDIR=y
CONFIG_RSBAC_SYM_REDIR_REMOTE_IP=y
CONFIG_RSBAC_SYM_REDIR_UID=y
CONFIG_RSBAC_SYM_REDIR_RC=y
# CONFIG_RSBAC_ALLOW_DAC_DISABLE is not set
#
# Other RSBAC options
#
# CONFIG_RSBAC_SECDEL is not set
CONFIG_RSBAC_RW=y
CONFIG_RSBAC_IPC_SEM=y
CONFIG_RSBAC_DAC_OWNER=y
CONFIG_RSBAC_DAC_GROUP=y
CONFIG_RSBAC_PROC_HIDE=y
CONFIG_RSBAC_FSOBJ_HIDE=y
# CONFIG_RSBAC_FREEZE is not set
CONFIG_RSBAC_SYSLOG=y
CONFIG_RSBAC_IOCTL=y
CONFIG_RSBAC_USER_CHOWN=y
# CONFIG_RSBAC_DAT_VISIBLE is not set
# CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT is not set
CONFIG_RSBAC_USER_MOD_IOPERM=y
CONFIG_RSBAC_FAKE_ROOT_UID=y
CONFIG_RSBAC_XSTATS=y
CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
May be a bug¿?
More information about the rsbac
mailing list