[rsbac] MAC module

Fix 4d876b82 at gmail.com
Thu Sep 6 13:03:43 CEST 2007


> Some checks are hardcoded in the module. I agree that 
> MODIFY_SYSTEM_DATA on SCD priority is not critical and should be 
> allowed.
> 
> The attached patch allows it.

Thanks.
I think, MODIFY_SYSTEM_DATA on SCD mlock also should be allowed by MAC module, 
especially for GnuPG, to prevent passphrase leaks to swap:

Sep  6 18:01:26 localhost kernel: 0000000881|rsbac_adf_request(): request 
MODIFY_SYSTEM_DATA, pid 5446, ppid 1, prog_name play, prog_file /usr/bin/sox, 
uid 1000, target_type SCD, tid mlock, attr none, value none, result 
NOT_GRANTED (Softmode) by MAC RC ACL
Sep  6 18:10:48 localhost kernel: 0000000891|rsbac_adf_request(): request 
MODIFY_SYSTEM_DATA, pid 1760, ppid 1725, prog_name artsd, 
prog_file /opt/kde/bin/artsd, uid 1000, target_type SCD, tid mlock, attr 
none, value none, result NOT_GRANTED (Softmode) by MAC RC ACL
Sep  6 18:53:55 localhost kernel: 0000000961|rsbac_adf_request(): request 
MODIFY_SYSTEM_DATA, pid 10217, ppid 8425, prog_name gpg, 
prog_file /usr/bin/gpg, uid 1000, target_type SCD, tid mlock, attr none, 
value none, result NOT_GRANTED (Softmode) by MAC RC ACL

// wbr
Fix
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20070906/a8ca40ce/attachment.pgp 


More information about the rsbac mailing list