[rsbac] MAC: request MODIFY_SYSTEM_DATA, target NETDEV
Gergely Lónyai
alephlg at gmail.com
Tue Jan 13 16:14:58 CET 2009
Hi,
Yes. I add kernel-rsbac to my desktop, and i sucking the MAC/RC :-(
[secoff at noder ~]$ attr_set_fd MAC DEV MODIFY_SYSTEM_DATA 1 /usr/lib/multiload-applet-2
attr_set_fd: Invalid attribute MODIFY_SYSTEM_DATA
[secoff at noder ~]$ attr_set_fd MAC DEV GET_STATUS_DATA 1 /usr/lib/multiload-applet-2
attr_set_fd: Invalid attribute GET_STATUS_DATA
But find a simphatic program: attr_set_net but not inclde "MAC NETDEV" pair
2. simpatic program: acl_grant but not include MAC
acl_grant USER 1000 MODIFY_SYSTEM_DATA NETDEV :DEFAULT:
Aleph
From: Javier J. Martínez Cabezón <tazok.id0 at gmail.com>
>Multiload-applet is related with gnome?
>
>Why you don't warrant him security_level 0 and one own category for
>him?. Keep in mind that MAC not only check the security level if not
>also security_level[category], so if you set this to
>security_level0[applet] could be fine.
>
>I don't think that setting it as trusted would be a good idea...
>I don't think that grant a gnome applet MODIFY_SYSTEM_DATA (I don't
>use yet MAC module, but I think that this does it : attr_set_fd MAC
>DEV MODIFY_SYSTEM_DATA 1 /usr/lib/multiload-applet-2. Why not only
>GET_STATUS_DATA?.
>Since MODIFY_SYSTEM_DATA is a write request the *-property forces that
>subject and object have the same clearance level. Keep it in mind.
>
>2009/1/13 Gergely Lónyai <alephlg at gmail.com>:
>> Hi,
>>
>> How to resolv this problem. My idea is wrong:
>>
>> attr_set_fd MAC DEV MODIFY_SYSTEM_DATA 1 /usr/lib/multiload-applet-2
>> or
>> attr_set_fd MAC FILE security_level 0 /usr/lib/multiload-applet-2
>> or
>> mac_set_trusted FILE add "/usr/lib/multiload-applet-2" 1000
>> or
>> Settings /usr/lib/multiload-applet-2 with rsbac_fd_menu.
>> The multiload-applet-2 is the "bad guy"?
>>
>> 0005753827|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid }��, attr none, value none, result NOT_GRANTED (Softmode) by MAC
>> 0005753828|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>> 0005753829|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>> 0005753830|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>> 0005753831|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>> 0005753883|rsbac_adf_request(): request GET_STATUS_DATA, pid 2351, ppid 1, prog_name ifplugd, prog_file /sbin/ifplugd, uid 0, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>>
>>
>> Aleph
>> _______________________________________________
>> rsbac mailing list
>> rsbac at rsbac.org
>> http://www.rsbac.org/mailman/listinfo/rsbac
>_______________________________________________
>rsbac mailing list
>rsbac at rsbac.org
>http://www.rsbac.org/mailman/listinfo/rsbac
More information about the rsbac
mailing list