[prev in list] [next in list] [prev in thread] [next in thread]
List: rsbac
Subject: Re: [rsbac] Can't manage to authorize IPC RECEIVE in RC module
From: Colin Pitrat <colin.pitrat () bull ! net>
Date: 2006-11-28 14:10:39
Message-ID: 456C435F.9030302 () bull ! net
[Download RAW message or body]
I answered too fast. I now have another problem. I get the following line :
check_comp_rc(): pid 30144 (ls), owner 0, rc_role 0, PROCESS rc_type 5,
request SEND -> NOT_GRANTED!
which is really strange as there is no process type 5 :
# rc_get_item list_process_types
0 General_Process
1 Security_Proc
2 System_Process
999999 Kernel_Process
Colin Pitrat (Bull Services Telco)
Bull, Architect of an Open World (TM)
Tél : +33 (0) 1 30 80 72 93
www.bull.com
Colin Pitrat wrote:
>
> Thanks, the debug_adf_rc tip is really helpful ! I didn't knew it.
> Thanks to it, I managed to make it work.
>
> Colin Pitrat (Bull Services Telco)
> Bull, Architect of an Open World (TM)
> Tél : +33 (0) 1 30 80 72 93
> www.bull.com
>
>
> Amon Ott wrote:
>> On Dienstag 28 November 2006 12:14, Colin Pitrat wrote:
>>> I'm currently running in softmode with rsbac 1.3.0, and I get the
>>> following line in /var/log/messages.log :
>>>
>>> rsbac_adf_request(): request RECEIVE, pid 1820, ppid 1, prog_name
>>> syslog-ng, prog_file /usr/sbin/syslog-ng, uid 0, target_type IPC,
>> tid
>>> AnonUnix-ID 29332, attr process, value 21770, result NOT_GRANTED
>>> (Softmode) by RC
>>>
>>> I tried to set RECEIVE for the IPC type I supposed to be concerned
>> for
>>> the supposed role, but it didn't work. So I tried to turn it on for
>>> every IPC type for every role (yeah I know, but I'm just testing for
>> now
>>> ;) ) and it still doesn't work. What did I do wrong ?
>>
>> Did you enable partner process checking in kernel config?
>> "RC check access to UNIX partner process".
>> If yes, there is an additional check against the partner process RC type.
>>
>> Please enable RC debugging as secoff with
>> echo debug_adf_rc 1 >/proc/rsbac-info/debug
>> to see which roles and types are involved. You can also use
>> rsbac_debug_adf_rc kernel parameter.
>>
>> Amon.
> _______________________________________________
> rsbac mailing list
> rsbac@rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
["colin.pitrat.vcf" (colin.pitrat.vcf)]
begin:vcard
fn:Colin Pitrat
n:Pitrat;Colin
org:Bull;Telco
adr:;;rue Jean Jaures;Les Clayes sous Bois;;78340;France
email;internet:colin.pitrat@bull.net
tel;work:+33 1 30 80 72 93
x-mozilla-html:FALSE
url:http://www.bull.com
version:2.1
end:vcard
_______________________________________________
rsbac mailing list
rsbac@rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic