Re: RSBAC and XFree86-4.0.3 ?


From: Amon Ott <ao@rsbac.org>
Subject: Re: RSBAC and XFree86-4.0.3 ?
Date: Thu, 19 Apr 2001 09:50:02 +0200

Next Article (by Author): Re: RSBAC and XFree86-4.0.3 ? Amon Ott
Previous Article (by Author): Re: Re[12]: RSBAC v1.1.1 problem Amon Ott
Top of Thread: RSBAC and XFree86-4.0.3 ? Fabrice MARIE
Next in Thread: Re: RSBAC and XFree86-4.0.3 ? Stanislav Ievlev
Articles sorted by: [Date] [Author] [Subject]


On Don, 19 Apr 2001 Fabrice MARIE wrote:
> I'm trying to run Xfree4 while under an RSBAC enabled
> kernel (2.4.2 with patch-1.1.2pre2, rsbac-v1.1.2pre2 and
>         rsbac-admin-v1.1.2pre1, using RC,AUTH,ACL modules & support
>         for X compiled in).
> 
> However, the access is denied with the following message :
> 
> ---
> Apr 19 14:27:23 fabrice kernel: rsbac_adf_request():
>   request GET_STATUS_DATA, caller_pid 1283,
>   caller_prog_name X, caller_uid 0, target-type SCD, tid kmem, at
>   tr none, value 0, result NOT_GRANTED by ACL
> Apr 19 14:27:25 fabrice kernel: rsbac_adf_request():
>   request GET_STATUS_DATA, caller_pid 1283,
>   caller_prog_name X, caller_uid 0, target-type SCD, tid kmem, at
>   tr none, value 0, result NOT_GRANTED by ACL
> ---
> 
> Can someone please explain me this error message ?

It means that X tries to directly read kernel memory, what is rather bad
behaviour. This is not yet covered by X-Support option, but I will add it for
compatibility.

> Is there anyway to get around it ?

Just grant GET_STATUS_DATA to SCD kmem for user root or group everyone,
depending on who starts X:

acl_grant USER root GET_STATUS_DATA SCD kmem
acl_grant GROUP 0 GET_STATUS_DATA SCD kmem

A more secure solution would be to limit this access to X itself. However, you
need an RC role for this:
- copy RC role System Admin (2) to new role 'X-Server'  (number x)
- acl_grant ROLE x GET_STATUS_DATA SCD kmem
- set rc_force_role to x on X binary

On the fly you could remove System Admin's RC right to access SCD kmem.

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Author): Re: RSBAC and XFree86-4.0.3 ? Amon Ott
Previous Article (by Author): Re: Re[12]: RSBAC v1.1.1 problem Amon Ott
Top of Thread: RSBAC and XFree86-4.0.3 ? Fabrice MARIE
Next in Thread: Re: RSBAC and XFree86-4.0.3 ? Stanislav Ievlev
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.