Re: Roles question


From: steve <steve@clublinux.org>
Subject: Re: Roles question
Date: Tue, 31 Jul 2001 11:02:29 -0500

Next Article (by Author): Re: /etc protection steve
Previous Article (by Author): Re: Roles question steve
Top of Thread: Roles question steve
Next in Thread: Re: Roles question Amon Ott
Articles sorted by: [Date] [Author] [Subject]


Ahhh... I think I'm beginning to see the light on how this is supposed
to work.  

Now, it says it can't READ_OPEN the library in question.  So, in order
to give qmail-qstat read access to the system libraries without giving
it read access to the rest of the files on the system, I should create
and FD type for libraries, and assign that FD type to /lib and /usr/lib
leaving the files in those directories to "inherit" their FD from their
parent.  Then, give role 3 READ_OPEN access to that FD type.

Am I on the right path here?

Thanks a bunch,
Steve

Amon Ott wrote:
> 
> On Mon, 30 Jul 2001 steve wrote:
> > My apologies... It was my log cofiguration not showing DEBUG level info.
> >
> > Here is the complete message that is logged:
> >
> > Jul 30 07:43:29 localhost kernel: check_comp_rc(): rc_role is 3, rc_type
> > is 0, request is SEARCH -> NOT_GRANTED!
> > Jul 30 07:43:29 localhost kernel: rsbac_adf_request(): request SEARCH,
> > caller_pid 10826, caller_prog_name qmail-qstat, caller_uid 0,
> > target-type
> > DIR, tid Device 8:10 Inode 2 Path /, attr none, value 0, result
> > NOT_GRANTED
> > by RC
> 
> OK. So your qmail-qstat runs with role 3. You will have to give SEARCH for type
> 0 to this role, what is harmless enough, to allow it to go down the dir tree
> with absolute paths. No dir reading by the role would be allowed, because
> that would require READ right.
> 
> Amon.
> -
> To unsubscribe from the rsbac list, send a mail to
> majordomo@rsbac.org with
> unsubscribe rsbac
> as single line in the body.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Author): Re: /etc protection steve
Previous Article (by Author): Re: Roles question steve
Top of Thread: Roles question steve
Next in Thread: Re: Roles question Amon Ott
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.