'Re: [rsbac] Can't manage to authorize IPC RECEIVE in RC module'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       rsbac
Subject:    Re: [rsbac] Can't manage to authorize IPC RECEIVE in RC module
From:       Colin Pitrat <colin.pitrat () bull ! net>
Date:       2006-11-28 14:10:39
Message-ID: 456C435F.9030302 () bull ! net
[Download RAW message or body]

I answered too fast. I now have another problem. I get the following line :
check_comp_rc(): pid 30144 (ls), owner 0, rc_role 0, PROCESS rc_type 5, 
request SEND -> NOT_GRANTED!

which is really strange as there is no process type 5 :

# rc_get_item list_process_types
0 General_Process
1 Security_Proc
2 System_Process
999999 Kernel_Process

Colin Pitrat (Bull Services Telco)
Bull,  Architect of an Open World (TM)
Tél : +33 (0)  1 30 80 72 93
www.bull.com

Colin Pitrat wrote:
> 
> Thanks, the debug_adf_rc tip is really helpful ! I didn't knew it.
> Thanks to it, I managed to make it work.
> 
> Colin Pitrat (Bull Services Telco)
> Bull,  Architect of an Open World (TM)
> Tél : +33 (0)  1 30 80 72 93
> www.bull.com
> 
> 
> Amon Ott wrote:
>> On Dienstag 28 November 2006 12:14, Colin Pitrat wrote:
>>> I'm currently running in softmode with rsbac 1.3.0, and I get the 
>>> following line in /var/log/messages.log :
>>>
>>> rsbac_adf_request(): request RECEIVE, pid 1820, ppid 1, prog_name 
>>> syslog-ng, prog_file /usr/sbin/syslog-ng, uid 0, target_type IPC, 
>> tid
>>> AnonUnix-ID 29332, attr process, value 21770, result NOT_GRANTED 
>>> (Softmode) by RC
>>>
>>> I tried to set RECEIVE for the IPC type I supposed to be concerned 
>> for
>>> the supposed role, but it didn't work. So I tried to turn it on for 
>>> every IPC type for every role (yeah I know, but I'm just testing for 
>> now
>>> ;) ) and it still doesn't work. What did I do wrong ?
>>
>> Did you enable partner process checking in kernel config?
>> "RC check access to UNIX partner process".
>> If yes, there is an additional check against the partner process RC type.
>>
>> Please enable RC debugging as secoff with
>> echo debug_adf_rc 1 >/proc/rsbac-info/debug
>> to see which roles and types are involved. You can also use 
>> rsbac_debug_adf_rc kernel parameter.
>>
>> Amon.
> _______________________________________________
> rsbac mailing list
> rsbac@rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

["colin.pitrat.vcf" (colin.pitrat.vcf)]

begin:vcard
fn:Colin Pitrat
n:Pitrat;Colin
org:Bull;Telco
adr:;;rue Jean Jaures;Les Clayes sous Bois;;78340;France
email;internet:colin.pitrat@bull.net
tel;work:+33 1 30 80 72 93
x-mozilla-html:FALSE
url:http://www.bull.com
version:2.1
end:vcard

_______________________________________________
rsbac mailing list
rsbac@rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac

[prev in list] [next in list] [prev in thread] [next in thread] 