From: steve <steve@clublinux.org>
Subject: Re: Roles question
Date: Tue, 31 Jul 2001 11:02:29 -0500
Next Article (by Author): Re: /etc protection steve
Previous Article (by Author): Re: Roles question steve
Top of Thread: Roles question steve
Next in Thread: Re: Roles question Amon Ott
Articles sorted by: [Date]
[Author]
[Subject]
Ahhh... I think I'm beginning to see the light on how this is supposed to work. Now, it says it can't READ_OPEN the library in question. So, in order to give qmail-qstat read access to the system libraries without giving it read access to the rest of the files on the system, I should create and FD type for libraries, and assign that FD type to /lib and /usr/lib leaving the files in those directories to "inherit" their FD from their parent. Then, give role 3 READ_OPEN access to that FD type. Am I on the right path here? Thanks a bunch, Steve Amon Ott wrote: > > On Mon, 30 Jul 2001 steve wrote: > > My apologies... It was my log cofiguration not showing DEBUG level info. > > > > Here is the complete message that is logged: > > > > Jul 30 07:43:29 localhost kernel: check_comp_rc(): rc_role is 3, rc_type > > is 0, request is SEARCH -> NOT_GRANTED! > > Jul 30 07:43:29 localhost kernel: rsbac_adf_request(): request SEARCH, > > caller_pid 10826, caller_prog_name qmail-qstat, caller_uid 0, > > target-type > > DIR, tid Device 8:10 Inode 2 Path /, attr none, value 0, result > > NOT_GRANTED > > by RC > > OK. So your qmail-qstat runs with role 3. You will have to give SEARCH for type > 0 to this role, what is harmless enough, to allow it to go down the dir tree > with absolute paths. No dir reading by the role would be allowed, because > that would require READ right. > > Amon. > - > To unsubscribe from the rsbac list, send a mail to > majordomo@rsbac.org with > unsubscribe rsbac > as single line in the body. - To unsubscribe from the rsbac list, send a mail to majordomo@rsbac.org with unsubscribe rsbac as single line in the body.
Next Article (by Author): Re: /etc protection steve
Previous Article (by Author): Re: Roles question steve
Top of Thread: Roles question steve
Next in Thread: Re: Roles question Amon Ott
Articles sorted by: [Date]
[Author]
[Subject]