Re: RSBAC and XFree86-4.0.3 ?


From: Stanislav Ievlev <inger@linux.ru.net>
Subject: Re: RSBAC and XFree86-4.0.3 ?
Date: Thu, 19 Apr 2001 15:29:58 +0400

Next Article (by Author): RSBAC based distribution. ALT Linux Castle. Stanislav Ievlev
Previous Article (by Author): Re: New setreuid() and setresuid() logic Stanislav Ievlev
Top of Thread: RSBAC and XFree86-4.0.3 ? Fabrice MARIE
Next in Thread: Re: RSBAC and XFree86-4.0.3 ? Fabrice MARIE
Articles sorted by: [Date] [Author] [Subject]


--------------050708010005090502050305
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Amon Ott wrote:

> On Don, 19 Apr 2001 Fabrice MARIE wrote:
> 
>> I'm trying to run Xfree4 while under an RSBAC enabled
>> kernel (2.4.2 with patch-1.1.2pre2, rsbac-v1.1.2pre2 and
>>         rsbac-admin-v1.1.2pre1, using RC,AUTH,ACL modules & support
>>         for X compiled in).
>> 
>> However, the access is denied with the following message :
>> 
>> ---
>> Apr 19 14:27:23 fabrice kernel: rsbac_adf_request():
>>   request GET_STATUS_DATA, caller_pid 1283,
>>   caller_prog_name X, caller_uid 0, target-type SCD, tid kmem, at
>>   tr none, value 0, result NOT_GRANTED by ACL
>> Apr 19 14:27:25 fabrice kernel: rsbac_adf_request():
>>   request GET_STATUS_DATA, caller_pid 1283,
>>   caller_prog_name X, caller_uid 0, target-type SCD, tid kmem, at
>>   tr none, value 0, result NOT_GRANTED by ACL
>> ---
>> 
>> Can someone please explain me this error message ?
> 
> 
> It means that X tries to directly read kernel memory, what is rather bad
> behaviour. This is not yet covered by X-Support option, but I will add it for
> compatibility.

No, We don't need this option for XFree 4.x .

> 
>> Is there anyway to get around it ?
> 
> 
> Just grant GET_STATUS_DATA to SCD kmem for user root or group everyone,
> depending on who starts X:
> 
> acl_grant USER root GET_STATUS_DATA SCD kmem
> acl_grant GROUP 0 GET_STATUS_DATA SCD kmem
> 
> A more secure solution would be to limit this access to X itself. However, you
> need an RC role for this:
> - copy RC role System Admin (2) to new role 'X-Server'  (number x)
> - acl_grant ROLE x GET_STATUS_DATA SCD kmem
> - set rc_force_role to x on X binary
> 
> On the fly you could remove System Admin's RC right to access SCD kmem.
> 
> Amon.
> -
> To unsubscribe from the rsbac list, send a mail to
> majordomo@rsbac.org with
> unsubscribe rsbac
> as single line in the body.
> 
> 



--------------050708010005090502050305
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<html><head></head><body>Amon Ott wrote:<br>
<blockquote type="cite" cite="mid:01041911013101.01016@marvin"><pre wrap="">On Don, 19 Apr 2001 Fabrice MARIE wrote:<br></pre>
  <blockquote type="cite"><pre wrap="">I'm trying to run Xfree4 while under an RSBAC enabled<br>kernel (2.4.2 with patch-1.1.2pre2, rsbac-v1.1.2pre2 and<br>        rsbac-admin-v1.1.2pre1, using RC,AUTH,ACL modules &amp; support<br>        for X compiled in).<br><br>However, the access is denied with the following message :<br><br>---<br>Apr 19 14:27:23 fabrice kernel: rsbac_adf_request():<br>  request GET_STATUS_DATA, caller_pid 1283,<br>  caller_prog_name X, caller_uid 0, target-type SCD, tid kmem, at<br>  tr none, value 0, result NOT_GRANTED by ACL<br>Apr 19 14:27:25 fabrice kernel: rsbac_adf_request():<br>  request GET_STATUS_DATA, caller_pid 1283,<br>  caller_prog_name X, caller_uid 0, target-type SCD, tid kmem, at<br>  tr none, value 0, result NOT_GRANTED by ACL<br>---<br><br>Can someone please explain me this error message ?<br></pre></blockquote>
    <pre wrap=""><!----><br>It means that X tries to directly read kernel memory, what is rather bad<br>behaviour. This is not yet covered by X-Support option, but I will add it for<br>compatibility.<br></pre>
    </blockquote>
No, We don't need this option for XFree 4.x .<br>
    <blockquote type="cite" cite="mid:01041911013101.01016@marvin"><pre wrap=""><br></pre>
      <blockquote type="cite"><pre wrap="">Is there anyway to get around it ?<br></pre></blockquote>
        <pre wrap=""><!----><br>Just grant GET_STATUS_DATA to SCD kmem for user root or group everyone,<br>depending on who starts X:<br><br>acl_grant USER root GET_STATUS_DATA SCD kmem<br>acl_grant GROUP 0 GET_STATUS_DATA SCD kmem<br><br>A more secure solution would be to limit this access to X itself. However, you<br>need an RC role for this:<br>- copy RC role System Admin (2) to new role 'X-Server'  (number x)<br>- acl_grant ROLE x GET_STATUS_DATA SCD kmem<br>- set rc_force_role to x on X binary<br><br>On the fly you could remove System Admin's RC right to access SCD kmem.<br><br>Amon.<br>-<br>To unsubscribe from the rsbac list, send a mail to<br><a class="moz-txt-link-abbreviated" href="mailto:majordomo@rsbac.org">majordomo@rsbac.org</a> with<br>unsubscribe rsbac<br>as single line in the body.<br><br><br></pre>
        </blockquote>
        <br>
        <br>
</body></html>
--------------050708010005090502050305--

-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Author): RSBAC based distribution. ALT Linux Castle. Stanislav Ievlev
Previous Article (by Author): Re: New setreuid() and setresuid() logic Stanislav Ievlev
Top of Thread: RSBAC and XFree86-4.0.3 ? Fabrice MARIE
Next in Thread: Re: RSBAC and XFree86-4.0.3 ? Fabrice MARIE
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.