[rsbac] MAC: request MODIFY_SYSTEM_DATA, target NETDEV

Javier J. Martínez Cabezón tazok.id0 at gmail.com
Tue Jan 13 17:08:43 CET 2009


Since I have not yet used the MAC module, I don't know the correct
syntax related with it, you can use the rsbac_fd_menu to make your
changes.

2009/1/13 Gergely Lónyai <alephlg en gmail.com>:
> Hi,
>
> Yes. I add kernel-rsbac to my desktop, and i sucking the MAC/RC :-(
> [secoff en noder ~]$ attr_set_fd MAC DEV MODIFY_SYSTEM_DATA 1 /usr/lib/multiload-applet-2
> attr_set_fd: Invalid attribute MODIFY_SYSTEM_DATA
> [secoff en noder ~]$ attr_set_fd MAC DEV GET_STATUS_DATA 1 /usr/lib/multiload-applet-2
> attr_set_fd: Invalid attribute GET_STATUS_DATA
>
> But find a simphatic program: attr_set_net but not inclde "MAC NETDEV" pair
> 2. simpatic program: acl_grant but not include MAC
> acl_grant USER 1000 MODIFY_SYSTEM_DATA NETDEV :DEFAULT:
>
>
> Aleph
>
> From: Javier J. Martínez Cabezón <tazok.id0 en gmail.com>
>>Multiload-applet is related with gnome?
>>
>>Why you don't warrant him security_level 0 and one own category for
>>him?. Keep in mind that MAC not only check the security level if not
>>also security_level[category], so if you set this to
>>security_level0[applet] could be fine.
>>
>>I don't think that setting it as trusted would be a good idea...
>>I don't think that grant a gnome applet MODIFY_SYSTEM_DATA (I don't
>>use yet MAC module, but I think that this does it : attr_set_fd MAC
>>DEV MODIFY_SYSTEM_DATA 1 /usr/lib/multiload-applet-2. Why not only
>>GET_STATUS_DATA?.
>>Since MODIFY_SYSTEM_DATA is a write request the *-property forces that
>>subject and object have the same clearance level. Keep it in mind.
>>
>>2009/1/13 Gergely Lónyai <alephlg en gmail.com>:
>>> Hi,
>>>
>>> How to resolv this problem. My idea is wrong:
>>>
>>> attr_set_fd MAC DEV MODIFY_SYSTEM_DATA 1 /usr/lib/multiload-applet-2
>>> or
>>> attr_set_fd MAC FILE security_level 0 /usr/lib/multiload-applet-2
>>> or
>>> mac_set_trusted FILE add "/usr/lib/multiload-applet-2" 1000
>>> or
>>> Settings /usr/lib/multiload-applet-2 with rsbac_fd_menu.
>>> The multiload-applet-2 is the "bad guy"?
>>>
>>> 0005753827|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid  }��, attr none, value none, result NOT_GRANTED (Softmode) by MAC
>>> 0005753828|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>>> 0005753829|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>>> 0005753830|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>>> 0005753831|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>>> 0005753883|rsbac_adf_request(): request GET_STATUS_DATA, pid 2351, ppid 1, prog_name ifplugd, prog_file /sbin/ifplugd, uid 0, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>>>
>>>
>>> Aleph
>>> _______________________________________________
>>> rsbac mailing list
>>> rsbac en rsbac.org
>>> http://www.rsbac.org/mailman/listinfo/rsbac
>>_______________________________________________
>>rsbac mailing list
>>rsbac en rsbac.org
>>http://www.rsbac.org/mailman/listinfo/rsbac
> _______________________________________________
> rsbac mailing list
> rsbac en rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac


More information about the rsbac mailing list