headers
1-IT-4-HOSP | 30 Oct 2007 16:52
Picon

Re: RC Problem with klog and syslogd

Hi,

Amon Ott schrieb Am 27.10.2007 18:47:
> So klogd (pid 1985) sends data to syslogd (pid 1975) through Unix 
> socket /dev. Two things that look wrong:
>
> - Path should usually be /dev/log (is /log correct in your system?)
> - The RECEIVE request should show the other process 1985 as partner 
> process (value of attribute "process"). This may be caused by 
> sys_sendto, where the receiver does not see the sender's pid.
>   
"/log" is _not_ correct in my system. It's the default directory 
"/dev/log" and I don't see the reason why the messages says "/log".
I tried to start "syslogd" with the parameter "-p /dev/log" to force 
"syslogd" to use "/dev/log", no changes.
Then I tried "strace -f syslogd", but it says that it uses "/dev/log" 
(than it's unlinked by the -p parameter and again set to "/dev/log"), so 
that looks right for me.
> First of all, you should enable RC debugging to see the exact role and 
> type involved. Either use rsbac_debug_adf_rc kernel parameter, or as 
> user 400 (secoff) call:
>
> echo debug_adf_rc 1 >/proc/rsbac-info/debug
>   
done.
> Depending on your setup, klogd's and syslogd's role are either 999999 
> (boot role) or 2 (root's role). The RC type of /log is 0 by default.
>   
Which "setup" do you mean? The "make menuconfig" before compiling?
> Let us assume the role is 2. Then as user 400 call
(Continue reading)

Permalink | Reply |
headers
Javier Martínez | 30 Oct 2007 17:17
Picon

Re: RC Problem with klog and syslogd

>
> Oct 30 16:55:26 rsbac-etch kernel: 0000023807|check_comp_rc(): pid 1786
> (syslogd), owner 0, rc_role 4, PROCESS rc_type 0, request RECEIVE ->
> NOT_GRANTED!
>
> Oct 30 16:55:26 rsbac-etch kernel: 0000023808|rsbac_adf_request():
> request RECEIVE, pid 1786, ppid 1, prog_name syslogd, prog_file
> /sbin/syslogd, uid 0, target_type UNIXSOCK, tid Device 00:14 Inode 4838
> Path /log, attr process, value 1786, result NOT_GRANTED (Softmode) by RC
>
Here appears that syslogd runs with role 4, probably you should grant
RECEIVE and all neededs rights to role 0 for PROCESS rc_type 0
Permalink | Reply |
headers
Javier Martínez | 30 Oct 2007 17:18
Picon

Re: RC Problem with klog and syslogd

> Here appears that syslogd runs with role 4, probably you should grant
> RECEIVE and all neededs rights to role 0 for PROCESS rc_type 0
>
hmm, mistake sorry, to role 4 for PROCESS rc_type 0...
Permalink | Reply |
headers
Amon Ott | 30 Oct 2007 17:46

Re: RC Problem with klog and syslogd

On Tuesday 30 October 2007 16:52, 1-IT-4-HOSP wrote:
> Amon Ott schrieb Am 27.10.2007 18:47:
> > So klogd (pid 1985) sends data to syslogd (pid 1975) through Unix
> > socket /dev. Two things that look wrong:
> >
> > - Path should usually be /dev/log (is /log correct in your
> > system?) - The RECEIVE request should show the other process 1985
> > as partner process (value of attribute "process"). This may be
> > caused by sys_sendto, where the receiver does not see the
> > sender's pid.
>
> "/log" is _not_ correct in my system. It's the default directory
> "/dev/log" and I don't see the reason why the messages says "/log".
> I tried to start "syslogd" with the parameter "-p /dev/log" to
> force "syslogd" to use "/dev/log", no changes.
> Then I tried "strace -f syslogd", but it says that it uses
> "/dev/log" (than it's unlinked by the -p parameter and again set to
> "/dev/log"), so that looks right for me.

This means that the RSBAC inheritance code does not work correctly. 
What filesystem type is /dev? What exact kernel sources do you use?

> > Depending on your setup, klogd's and syslogd's role are either
> > 999999 (boot role) or 2 (root's role). The RC type of /log is 0
> > by default.
>
> Which "setup" do you mean? The "make menuconfig" before compiling?

Your role configuration, and whether there is a setuid(0) somewhere in 
the init chain, which changes the role from 999999 to 2.
(Continue reading)

Permalink | Reply |
headers
1-IT-4-HOSP | 31 Oct 2007 11:29
Picon

Re: RC Problem with klog and syslogd

Amon Ott schrieb Am 30.10.2007 17:46:
> This means that the RSBAC inheritance code does not work correctly. 
> What filesystem type is /dev? What exact kernel sources do you use?
>   
Filesystem is udev on /dev type tmpfs.
Kernel is 2.6.22.1 from kernel.org with 
"patch-linux-2.6.22.1-rsbac-1.3.5", "rsbac-common-1.3.5" and 
"rsbac-admin-1.3.5"
> Here we come to the clue: You enabled "Check partner process" in the 
> kernel config. You need to allow RECEIVE for role 4 to PROCESS type 0 
> (type_comp_process).
> This is what comes as a result. With the partner process check, there 
> are actually two requests in one.
>   
You're completely right! With this permission it works fine. Thank you 
very much :-)
Should I disable "Check partner process" with the next version I compile?

Dustin
Permalink | Reply |
headers
Amon Ott | 31 Oct 2007 11:56

Re: RC Problem with klog and syslogd

On Wednesday 31 October 2007 11:29, 1-IT-4-HOSP wrote:
> Amon Ott schrieb Am 30.10.2007 17:46:
> > This means that the RSBAC inheritance code does not work
> > correctly. What filesystem type is /dev? What exact kernel
> > sources do you use?
>
> Filesystem is udev on /dev type tmpfs.
> Kernel is 2.6.22.1 from kernel.org with
> "patch-linux-2.6.22.1-rsbac-1.3.5", "rsbac-common-1.3.5" and
> "rsbac-admin-1.3.5"

Can you please retry with 
http://download.rsbac.org/kernels/1.3.6/2.6.23.1/linux-2.6.23.1-rsbac-1.3.6.tar.bz2 ?

> > Here we come to the clue: You enabled "Check partner process" in
> > the kernel config. You need to allow RECEIVE for role 4 to
> > PROCESS type 0 (type_comp_process).
> > This is what comes as a result. With the partner process check,
> > there are actually two requests in one.
>
> You're completely right! With this permission it works fine. Thank
> you very much :-)
> Should I disable "Check partner process" with the next version I
> compile?

These extra checks are fine, if you want better separation. Just keep 
in mind that more rights have to be given.

Amon.
--

--
(Continue reading)

Permalink | Reply |

Gmane