[rsbac] secoff has role 2 when log in by ssh

Orosz Tamás pingtomi at pingtomi.hu
Mon Dec 14 18:49:14 CET 2009 

Hi All,

I have a strange problem with kernel 2.6.31.6 and rsbac-1.4.3 (prepatched)
after I've upgraded an rsbac-1.3.8 system.
The problem summary is: when I log in by ssh with the user secoff, I can not
manage anything, because the role of secoff is 2 (system admin).
I've checked lot of things, here are the outputs:

RC role settings for sshd:

/usr/sbin/sshd rc_force_role 4294967292 (I tried 4294967295, no changes)
/usr/sbin/sshd rc_initial_role 999999

RC role 999999:

ROLE 999999 name "System Boot"
ROLE 999999 def_fd_create_type 4294967294
ROLE 999999 def_user_create_type 0
ROLE 999999 def_process_create_type 4294967294
ROLE 999999 def_process_chown_type 4294967291
ROLE 999999 def_process_execute_type 4294967295
ROLE 999999 def_ipc_create_type 0
ROLE 999999 def_group_create_type 0
ROLE 999999 def_unixsock_create_type 4294967289
ROLE 999999 boot_role 1
ROLE 999999 type_comp_fd 0 ADD_TO_KERNEL


RC role 2:

ROLE 2 name "System Admin"
ROLE 2 admin_type 2
ROLE 2 def_fd_create_type 4294967294
ROLE 2 def_user_create_type 0
ROLE 2 def_process_create_type 4294967294
ROLE 2 def_process_chown_type 4294967291
ROLE 2 def_process_execute_type 4294967294
ROLE 2 def_ipc_create_type 0
ROLE 2 def_group_create_type 0
ROLE 2 def_unixsock_create_type 4294967289
ROLE 2 boot_role 0
ROLE 2 req_reauth 0

RC Settings of fuser secoff:

secoff rc_def_role 1
secoff rc_type 1

Here is a log, when secoff log in by ssh:

Dec 14 18:36:25 node1 kernel: [78018.570228] 0000239323|rsbac_adf_request():
request CHANGE_OWNER, pid 12390, ppid 11099, prog_name sshd, prog_file
/usr/sbin/sshd, uid 0, remote ip xxx, target_type FILE, tid Device 00:10
Inode 4 Path /dev/pts, attr none, value none, result GRANTED (Softmode) by
FF RC ACL
Dec 14 18:36:25 node1 kernel: [78018.586986] 0000239324|rsbac_adf_request():
request CHDIR, pid 12393, ppid 12392, prog_name sshd, prog_file
/usr/sbin/sshd, uid 400, remote ip xxx, target_type DIR, tid Device 08:01
Inode 208960 Path /home/secoff, attr none, value none, result GRANTED
(Softmode) by FF RC ACL
Dec 14 18:36:25 node1 kernel: [78018.587274] 0000239325|rsbac_adf_request():
request EXECUTE, pid 12393, ppid 12392, prog_name sshd, prog_file
/usr/sbin/sshd, uid 400, remote ip xxx, target_type FILE, tid Device 08:01
Inode 57937 Path /bin/bash, attr none, value none, result GRANTED (Softmode)
by DAZ FF RC ACL

But, secoff has still role 2 event his uid is 400, and rsbac rejects any
modification, for eg:

Dec 14 18:37:48 node1 kernel: [78101.974042] 0000239326|check_comp_rc_scd():
pid 12444 (attr_get_file_d), owner 400, rc_role 2, scd_type 32, request
READ_ATTRIBUTE -> NOT_GRANTED

With rsbac 1.3.8 it has been working well before . I compared the
configuration with another working rsbac 1.3.8 system, it's the same.

When I log in by console (or by telnet, only for tesing), everything is
fine.

Any idea, what was my mistake?

Thanks!
Tamas

More information about the rsbac mailing list