Problem with nested subject

Submit your RBAC policies or suggest policy improvements

Problem with nested subject

Postby superbock » Fri May 16, 2003 9:46 am

Hi!

Subject in default ACL/role (included from file "process")

subject /usr/sbin/logrotate:/bin/gzip {
/var/log/pacct* rw
}

# gradm -R
Password:
No object /bin/gzip found for nested subject /usr/sbin/logrotate:/bin/gzip specified on line 189 of /etc/grsec/process.

# ll /bin/gzip
-rwxr-xr-x 3 root root 51228 Aug 24 2001 /bin/gzip

# ll /usr/sbin/logrotate
-rwxr-xr-x 1 root root 31136 Sep 4 2001 /usr/sbin/logrotate

How come /bin/gzip not found?

Brad, u have my acl's, you should find this one commented.

TIA
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

Postby spender » Fri May 16, 2003 2:05 pm

You need an object for /bin/gzip in your logrotate subject.. The error isn't saying that the file doesn't exist, just that you need to add the object to your configuration.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby superbock » Fri May 16, 2003 2:12 pm

erm.. good point! tks
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

Postby superbock » Fri May 16, 2003 9:05 pm

uhm..

ACL:

subject /usr/sbin/logrotate:/bin/gzip {
/var/log/pacct* rw
/bin/gzip rx
}

gradm:

No object /bin/gzip found for nested subject /usr/sbin/logrotate:/bin/gzip specified on line 189 of /etc/grsec/process.

If i have /bin/gzip rx to subject /usr/bin/logrotate, i get this:

Default ACL object not found for role default subject /bin/gzip
The RBAC system will not load until you correct this error.

If this is in the default role and default ACL, what would be the need to specify gzip as an object? logrotate should be able to use gzip with no problem, without expliciting so. No? Maybe not :)
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

Postby spender » Sat May 17, 2003 3:44 pm

You need to first have a /usr/sbin/logrotate subject. It should look like:


subject /usr/sbin/logrotate {
/bin/gzip rx
}

then, after that, your nested subject

subject /usr/sbin/logrotate:/bin/gzip {
/blahblah
}

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby superbock » Sun May 18, 2003 12:16 am

I'm starting to feel like a pain the ass... :o

My fault i didn't point this out in my previous post, it would avoid this one.. but i also did what u're saying.

And i get:

Default ACL object not found for role default subject /bin/gzip
The RBAC system will not load until you correct this error.

regards
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm


Return to RBAC policy development