[rsbac] MAC: request MODIFY_SYSTEM_DATA, target NETDEV

Gergely Lónyai alephlg at gmail.com
Tue Jan 13 17:28:27 CET 2009


Hi,

This kernel would have the Mandriva's "official" RSBAC kernel. :-(
I droping a modul from this kernel?

Aleph

From: Javier J. Martínez Cabezón <tazok.id0 at gmail.com>
>Since I have not yet used the MAC module, I don't know the correct
>syntax related with it, you can use the rsbac_fd_menu to make your
>changes.
>
>2009/1/13 Gergely Lónyai <alephlg at gmail.com>:
>> Hi,
>>
>> Yes. I add kernel-rsbac to my desktop, and i sucking the MAC/RC :-(
>> [secoff at noder ~]$ attr_set_fd MAC DEV MODIFY_SYSTEM_DATA 1 /usr/lib/multiload-applet-2
>> attr_set_fd: Invalid attribute MODIFY_SYSTEM_DATA
>> [secoff at noder ~]$ attr_set_fd MAC DEV GET_STATUS_DATA 1 /usr/lib/multiload-applet-2
>> attr_set_fd: Invalid attribute GET_STATUS_DATA
>>
>> But find a simphatic program: attr_set_net but not inclde "MAC NETDEV" pair
>> 2. simpatic program: acl_grant but not include MAC
>> acl_grant USER 1000 MODIFY_SYSTEM_DATA NETDEV :DEFAULT:
>>
>>
>> Aleph
>>
>> From: Javier J. Martínez Cabezón <tazok.id0 at gmail.com>
>>>Multiload-applet is related with gnome?
>>>
>>>Why you don't warrant him security_level 0 and one own category for
>>>him?. Keep in mind that MAC not only check the security level if not
>>>also security_level[category], so if you set this to
>>>security_level0[applet] could be fine.
>>>
>>>I don't think that setting it as trusted would be a good idea...
>>>I don't think that grant a gnome applet MODIFY_SYSTEM_DATA (I don't
>>>use yet MAC module, but I think that this does it : attr_set_fd MAC
>>>DEV MODIFY_SYSTEM_DATA 1 /usr/lib/multiload-applet-2. Why not only
>>>GET_STATUS_DATA?.
>>>Since MODIFY_SYSTEM_DATA is a write request the *-property forces that
>>>subject and object have the same clearance level. Keep it in mind.
>>>
>>>2009/1/13 Gergely Lónyai <alephlg at gmail.com>:
>>>> Hi,
>>>>
>>>> How to resolv this problem. My idea is wrong:
>>>>
>>>> attr_set_fd MAC DEV MODIFY_SYSTEM_DATA 1 /usr/lib/multiload-applet-2
>>>> or
>>>> attr_set_fd MAC FILE security_level 0 /usr/lib/multiload-applet-2
>>>> or
>>>> mac_set_trusted FILE add "/usr/lib/multiload-applet-2" 1000
>>>> or
>>>> Settings /usr/lib/multiload-applet-2 with rsbac_fd_menu.
>>>> The multiload-applet-2 is the "bad guy"?
>>>>
>>>> 0005753827|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid  }��, attr none, value none, result NOT_GRANTED (Softmode) by MAC
>>>> 0005753828|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>>>> 0005753829|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>>>> 0005753830|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>>>> 0005753831|rsbac_adf_request(): request GET_STATUS_DATA, pid 3714, ppid 1, prog_name multiload-apple, prog_file /usr/lib/multiload-applet-2, uid 1000, audit uid 1000, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>>>> 0005753883|rsbac_adf_request(): request GET_STATUS_DATA, pid 2351, ppid 1, prog_name ifplugd, prog_file /sbin/ifplugd, uid 0, target_type NETDEV, tid eth0, attr none, value none, result GRANTED (Softmode) by RC ACL
>>>>
>>>>
>>>> Aleph
>>>> _______________________________________________
>>>> rsbac mailing list
>>>> rsbac at rsbac.org
>>>> http://www.rsbac.org/mailman/listinfo/rsbac
>>>_______________________________________________
>>>rsbac mailing list
>>>rsbac at rsbac.org
>>>http://www.rsbac.org/mailman/listinfo/rsbac
>> _______________________________________________
>> rsbac mailing list
>> rsbac at rsbac.org
>> http://www.rsbac.org/mailman/listinfo/rsbac
>_______________________________________________
>rsbac mailing list
>rsbac at rsbac.org
>http://www.rsbac.org/mailman/listinfo/rsbac


More information about the rsbac mailing list