[rsbac] 1.4.0-rc3 check_comp_rc: rc_role wrong?

Bernhard Seibold bernhard.seibold at uni-ulm.de
Mon Nov 24 22:44:40 CET 2008 

On Di, 2008-11-18 at 16:52 +0100, Amon Ott wrote:
> On Monday 17 November 2008 19:32, Bernhard Seibold wrote:
> > User 1000 is rc_role 4. No errors with 2.6.26.7 with 1.4.0-rc2 (and
> > your one-line ipv6 patch).
> >
> > 0000009047|check_comp_rc(): pid 2299432064 (gweather-applet), owner
> > 1000, rc_role 0, NETOBJ rc_type 0, request CREATE -> NOT_GRANTED!
> 
> The pid is complete rubbish here. Just corrected output at several 
> places. I have attached a patch, can you please retry with it?

The PIDs are now ok, but of course the problem persists. This was logged
while starting Apache (in Softmode, by user 1000 from a "sudo -s"
shell), with debug_adf_auth and debug_adf_rc turned on:

0000002834|rsbac_set_attr(): Trying to set attribute for process 0!
0000002835|rsbac_adf_set_attr_rc: rsbac_set_attr() for rc_role returned
error!
0000002836|rsbac_set_attr(): Trying to set attribute for process 0!
0000002837|rsbac_adf_set_attr_auth: rsbac_set_attr() for auth_may_setuid
returned error!
0000002838|rsbac_set_attr(): Trying to set attribute for process 0!
0000002839|rsbac_adf_set_attr_cap(): rsbac_get_attr() for cap_ld_env
returned error!
0000002840|rsbac_set_attr(): Trying to set attribute for process 0!
0000002841|rsbac_adf_set_attr_cap(): rsbac_set_attr() for
cap_process_hiding returned error!
0000002842|rsbac_set_attr(): Trying to set attribute for process 0!
0000002843|rsbac_adf_set_attr(): rsbac_set_attr() for audit_uid returned
error!
0000002844|rsbac_adf_set_attr(): request CLONE, pid 18530, uid 0, audit
uid 1000, target_type PROCESS, tid 18530, new_target_type PROCESS,
new_tid 0, attr none, value 0, error -1004
0000002845|do_fork() [sys_fork(), sys_clone()]: rsbac_adf_set_attr()
returned error!
0000002846|rsbac_adf_request(): request CHANGE_OWNER, pid 18537, ppid
18530, prog_name apache2, prog_file /usr/sbin/apache2, uid 0,
target_type PROCESS, tid 18537, attr owner, value 33, result NOT_GRANTED
(Softmode) by AUTH

The setuid should have been granted:

secoff at blob:~$ auth_set_cap FD get /usr/sbin/apache2
33 
secoff at blob:~$ 


Bernhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20081124/c6ebb983/attachment.pgp

More information about the rsbac mailing list