Unexpected behavior of 's' (suppress logs) object flag

Submit your RBAC policies or suggest policy improvements

Unexpected behavior of 's' (suppress logs) object flag

Postby Kyoshiro » Tue Jan 11, 2005 9:42 pm

It seems that when I add the 's' flag to any object, it gives full access.... For example, I set this subject :

Code: Select all
subject / {
        /               r
        /opt            rx
        /initrd         sh
        /root           sh
...
}


It gives full access to /root and /initrd the related role. I remove the 's' flags, and access is denied and logged.

Either I have misunderstood the suppress flag, or there's an issue in gradm/grsec here :p.

PS: I'm using latest grsec and gradm (v2.1.0) + kernel 2.4.28 + secfixes
Kyoshiro
 
Posts: 20
Joined: Thu Aug 12, 2004 5:45 pm

Postby spender » Wed Jan 12, 2005 1:11 am

The suppress flag is broken in 2.1.0. I have fixed it in 2.1.1, a test release of which is available at http://grsecurity.net/~spender

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Kyoshiro » Wed Jan 12, 2005 6:02 am

Thanks a lot, I'll wait for 2.1.1 to be released then :)
Kyoshiro
 
Posts: 20
Joined: Thu Aug 12, 2004 5:45 pm


Return to RBAC policy development