learned policy do not work - symlink

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

learned policy do not work - symlink

Postby Raf256 » Fri Dec 30, 2005 2:29 am

root@lore:/etc/grsec# gradm -E
Duplicate object found for "/dev/adsp0" in role raf256, subject /, on line 1177 of /etc/grsec/policy.
"/dev/adsp0" references the same object as the following object(s):
/dev/adsp (due to symlinking/hardlinking)
/dev/adsp0 (due to symlinking/hardlinking)
specified on an earlier line.The RBAC system will not load until this error is fixed.

root@lore:/etc/grsec# file /dev/adsp
/dev/adsp: symbolic link to `adsp0'
root@lore:/etc/grsec# file /dev/adsp0
/dev/adsp0: character special (14/12)

Shouldnt learning code automaticly fix such problems (or shouldng RBAC ignore them)?
Raf256
 
Posts: 72
Joined: Mon Sep 19, 2005 8:38 pm
Location: Europe

Postby Raf256 » Fri Dec 30, 2005 10:26 am

There are meany problems like above in generated policy.

It is "files aliasing" problem right?

If this is not solved, then perhaps solution would be to add new flags, meaning:
1) if this symlink S points to already defined rule/file F, then use rules of target file F on this symlink S (copy them)
2) ..., then discard this problem and still use rules S on the symlink, even if it will allow to access F in other way
3) ... while accessing symlink S allow it only if *BOTH* restrictions defined by target file F and symlink S are meet.

Rule 3) seems most reasonable to me.
And learning process will set up the flag 3 while learning, if the symlink existed then.

or something simmilar?
Raf256
 
Posts: 72
Joined: Mon Sep 19, 2005 8:38 pm
Location: Europe

Re: learned policy do not work - symlink

Postby Hue-Bond » Tue Feb 28, 2006 5:56 pm

Raf256 wrote:"/dev/adsp0" references the same object as the following object(s):
/dev/adsp (due to symlinking/hardlinking)
/dev/adsp0 (due to symlinking/hardlinking)
specified on an earlier line.

root@lore:/etc/grsec# file /dev/adsp
/dev/adsp: symbolic link to `adsp0'
root@lore:/etc/grsec# file /dev/adsp0
/dev/adsp0: character special (14/12)


RTFM: "You must specify the ACL for the target first, otherwise gradm will report a duplicate".
Hue-Bond
 
Posts: 34
Joined: Mon Dec 13, 2004 4:31 pm

Postby `VL » Wed Oct 11, 2006 12:27 pm

RTFM: "You must specify the ACL for the target first, otherwise gradm will report a duplicate".

...and a question is: in which FM this is written? give us link please...
`VL
 
Posts: 28
Joined: Wed Feb 23, 2005 2:11 pm


Return to RBAC policy development

cron