[rsbac] MAC: request MODIFY_SYSTEM_DATA, target NETDEV

Javier J. Martínez Cabezón tazok.id0 at gmail.com
Tue Jan 13 12:54:58 CET 2009


Hmmm... I missunderstood one thing, target is NETDEV, so category
should go to NETDEV. It's better in my opinion to have categories in
all (as types in RC model) than granting a global access to all
objects with 0 security_level.

2009/1/13 Javier J. Martínez Cabezón <tazok.id0 en gmail.com>:
> Multiload-applet is related with gnome?
>
> Why you don't warrant him security_level 0 and one own category for
> him?. Keep in mind that MAC not only check the security level if not
> also security_level[category], so if you set this to
> security_level0[applet] could be fine.
>
> I don't think that setting it as trusted would be a good idea...
> I don't think that grant a gnome applet MODIFY_SYSTEM_DATA (I don't
> use yet MAC module, but I think that this does it : attr_set_fd MAC
> DEV MODIFY_SYSTEM_DATA 1 /usr/lib/multiload-applet-2. Why not only
> GET_STATUS_DATA?.
> Since MODIFY_SYSTEM_DATA is a write request the *-property forces that
> subject and object have the same clearance level. Keep it in mind.
>
> 2009/1/13 Gergely Lónyai <alephlg en gmail.com>:
>> Hi,
>>
>> How to resolv this problem. My idea is wrong:
>>
>> attr_set_fd MAC DEV MODIFY_SYSTEM_DATA 1 /usr/lib/multiload-applet-2
>> or
>> attr_set_fd MAC FILE security_level 0 /usr/lib/multiload-applet-2
>> or
>> mac_set_trusted FILE add "/usr/lib/multiload-applet-2" 1000
>> or
>> Settings /usr/lib/multiload-applet-2 with rsbac_fd_menu.
>> The multiload-applet-2 is the "bad guy"?
>>
>> 0005753827|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid  }��, attr none, value none, result NOT_GRANTED (Softmode) by MAC
>> 0005753828|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>> 0005753829|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>> 0005753830|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>> 0005753831|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>> 0005753883|rsbac_adf_request(): request GET_STATUS_DATA, pid 2351, ppid 1, prog_name ifplugd, prog_file /sbin/ifplugd, uid 0, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>>
>>
>> Aleph
>> _______________________________________________
>> rsbac mailing list
>> rsbac en rsbac.org
>> http://www.rsbac.org/mailman/listinfo/rsbac
>


More information about the rsbac mailing list