Re: Roles question


From: Amon Ott <ao@rsbac.org>
Subject: Re: Roles question
Date: Fri, 27 Jul 2001 11:11:38 +0200

Next Article (by Date): rsbac-v1.1.2-pre9 uploaded Amon Ott
Previous Article (by Date): OT: PGP Jörgen_Sigvardsson
Top of Thread: Roles question steve
Next in Thread: Re: Roles question steve
Articles sorted by: [Date] [Author] [Subject]


On Fre, 27 Jul 2001 steve wrote:
> > You need to give the role qmail the ability to read approprirate files in
> > /lib (figure out which with ldd progname) and search rights for / as well as
> > other things that RSBAC is arguing about.
> 
> I did that.  I gave the RC ROLE 'qmail' full access rights (everything
> but secoff rights) to /.  I thought that would allow programs running
> under a "forced Role" of qmail to access /.
> 
> I just thought of a possible cause.   qmail-qstat is just a bourne shell
> script.  Would the "forced RC Role" apply to all of the programs called
> from within the bourne shell script or even the bourne shell itself?  I
> used ldd to check, and /bin/sh requires the library that is reported in
> the original error message.
> 
> Is there a way to get this to work, other than forcing /bin/sh to run as
> RC ROLE 'qmail'?   

I am not sure about all qmail behaviour. Your first step should be to enable
debug_adf_rc, e.g. as secoff etc.
echo debug_adf_rc 1 >/proc/rsbac-info/debug
or use rsbac_debug_adf_rc kernel parameter.

This option gives you roles and types for all RC denied requests. Please have a
look at it. I will try to investigate this myself.

Amon.

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): rsbac-v1.1.2-pre9 uploaded Amon Ott
Previous Article (by Date): OT: PGP Jörgen_Sigvardsson
Top of Thread: Roles question steve
Next in Thread: Re: Roles question steve
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.