bind 9.1.3-3 and RC roles problem

From: ghorvath@minolta.hu
Subject: bind 9.1.3-3 and RC roles problem
Date: Sun, 9 Sep 2001 10:50:23 +0100

Next Article (by Date): Re: bind 9.1.3-3 and RC roles problem Arkady A Drovosekov
Previous Article (by Date): Re: /etc protection David Ford
Next in Thread: Re: bind 9.1.3-3 and RC roles problem Arkady A Drovosekov
Articles sorted by: [Date] [Author] [Subject] 

Hello,

for general info: I have read all the information available for rsbac 
(however it is not a huge amount..). 
RedHat 7.1, kernel clean 2.4.9 + rsbac. rsbac: 1.1.2.

I like rsbac and played with it a lot but now I have to implement it. Till 
now I have used LIDS. As I see rsbac has a lot of features and is more 
flexible. I really like this modular approach BUT..

I tried to implement the web RC example for named, postfix for the 
beginning.
The result is very interesting: on one machine successfull, on the other a 
failure..

Let's speak about bind:
I have created one role: Named Role, and an FD: Named FD
Bind instelled from source package.
On user named (uid 25) I applied RC default role: Named Role
Created a /chroot/named. Made its RC type FD: Named FD (and for sure 
rc_force and initial role to Named Role).
Grant the basic (Chdir, read, search) rights for Named role to Named FD. 
Later extended them as necessary.
Grant other rights for Named Role (to General IPC [Create, Delete, 
Read_Write_Open, Read_Open], General FD [Search, Execute, Read_Open]. And 
for System Admin role [Search, Execute] to Named FD.
Grant setuid 25 to /usr/sbin/named. Modified /etc/init.d/named to find 
/chroot/named..

Then I tried to execute /etc/init.d/named  start - On one machine (after a 
few hours of work..) everything is OK..
On the other: rc_role 3 (Named Role) has no create right on its 
def_fd_create_type 0 -> NOT_Granted !!
Okay, if I grant [Create, Delete, Write_Open..] for Named Role to General 
FD, then everything is fine and it is also working. But I do not want to 
grant these rights.. I do not understand. User's default role is: Named 
role.
It tries to write to /chroot/named/var/run/named/named.pid and named 
always wants to create it as General FD..
But from its parent dir it should (as on the other machine) do it as Named 
FD..

Please help me. Now I cannot go futher if I don't solve this problem. I 
cannot trust in God that on the following occasion everything will work as 
excepted.. I should invest a lot of workhour into a script which automate 
such processes. I really want to give back something for your work and 
some *really* practical (and working) examples won't hurt anybody..

Please write to me what to do to give more info if necessary.

As always excuse for the bad english.

Best regards,

Gabor Horvath
e-mail: ghorvath@minolta.hu


-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): Re: bind 9.1.3-3 and RC roles problem Arkady A Drovosekov
Previous Article (by Date): Re: /etc protection David Ford
Next in Thread: Re: bind 9.1.3-3 and RC roles problem Arkady A Drovosekov
Articles sorted by: [Date] [Author] [Subject]

Go to Compuniverse LWGate Home Page.