From: Amon Ott <ao@rsbac.org>
Subject: Re: Roles question
Date: Fri, 27 Jul 2001 11:11:38 +0200
Next Article (by Date): rsbac-v1.1.2-pre9 uploaded Amon Ott
Previous Article (by Date): OT: PGP Jörgen_Sigvardsson
Top of Thread: Roles question steve
Next in Thread: Re: Roles question steve
Articles sorted by: [Date]
[Author]
[Subject]
On Fre, 27 Jul 2001 steve wrote: > > You need to give the role qmail the ability to read approprirate files in > > /lib (figure out which with ldd progname) and search rights for / as well as > > other things that RSBAC is arguing about. > > I did that. I gave the RC ROLE 'qmail' full access rights (everything > but secoff rights) to /. I thought that would allow programs running > under a "forced Role" of qmail to access /. > > I just thought of a possible cause. qmail-qstat is just a bourne shell > script. Would the "forced RC Role" apply to all of the programs called > from within the bourne shell script or even the bourne shell itself? I > used ldd to check, and /bin/sh requires the library that is reported in > the original error message. > > Is there a way to get this to work, other than forcing /bin/sh to run as > RC ROLE 'qmail'? I am not sure about all qmail behaviour. Your first step should be to enable debug_adf_rc, e.g. as secoff etc. echo debug_adf_rc 1 >/proc/rsbac-info/debug or use rsbac_debug_adf_rc kernel parameter. This option gives you roles and types for all RC denied requests. Please have a look at it. I will try to investigate this myself. Amon. Amon. - To unsubscribe from the rsbac list, send a mail to majordomo@rsbac.org with unsubscribe rsbac as single line in the body.
Next Article (by Date): rsbac-v1.1.2-pre9 uploaded Amon Ott
Previous Article (by Date): OT: PGP Jörgen_Sigvardsson
Top of Thread: Roles question steve
Next in Thread: Re: Roles question steve
Articles sorted by: [Date]
[Author]
[Subject]