Why security hole in ACL?
Posted: Fri Jan 05, 2007 3:51 pmCurrently i`m rewriting manally auto-generated ACLs(that works fine, thank you for the great job!) to reduce it`s number, use inheritance and so on.
I tried to put rules the following rule for /dev in role`s root policy
which means that processes in that role can find /dev directory. As i understood from documentation, no access granted to contents of this directory(it can only be listed).
When i started gradm with such, policy it talled me that there are holes in it, because it allows access to /dev/grsec,/dev/kmem and so. But it actually doesn`t! ( or am i wrong?)
I removed /dev rule from root ACL of role and moved it to subject (bash). After this manipulation i was able to run this policy. I checked that bash can`t red /dev/grsec (ACL system doesn`t allow it, causing Permission denied message).
So, my question is: is that policy check wrong or i misunderstand something?
Thank you for attention and all the job done.
I tried to put rules the following rule for /dev in role`s root policy
- Code: Select all
/dev
which means that processes in that role can find /dev directory. As i understood from documentation, no access granted to contents of this directory(it can only be listed).
When i started gradm with such, policy it talled me that there are holes in it, because it allows access to /dev/grsec,/dev/kmem and so. But it actually doesn`t! ( or am i wrong?)
I removed /dev rule from root ACL of role and moved it to subject (bash). After this manipulation i was able to run this policy. I checked that bash can`t red /dev/grsec (ACL system doesn`t allow it, causing Permission denied message).
So, my question is: is that policy check wrong or i misunderstand something?
Thank you for attention and all the job done.