grsecurity forums

Skip to content

Unexpected behavior of 's' (suppress logs) object flag

Submit your RBAC policies or suggest policy improvements
Topic locked

Unexpected behavior of 's' (suppress logs) object flag

Postby Kyoshiro » Tue Jan 11, 2005 9:42 pm

It seems that when I add the 's' flag to any object, it gives full access.... For example, I set this subject :

Code: Select all
subject / {
        /               r
        /opt            rx
        /initrd         sh
        /root           sh
...
}


It gives full access to /root and /initrd the related role. I remove the 's' flags, and access is denied and logged.

Either I have misunderstood the suppress flag, or there's an issue in gradm/grsec here :p.

PS: I'm using latest grsec and gradm (v2.1.0) + kernel 2.4.28 + secfixes
Kyoshiro
 
Posts: 20
Joined: Thu Aug 12, 2004 5:45 pm
Top

Postby spender » Wed Jan 12, 2005 1:11 am

The suppress flag is broken in 2.1.0. I have fixed it in 2.1.1, a test release of which is available at http://grsecurity.net/~spender

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby Kyoshiro » Wed Jan 12, 2005 6:02 am

Thanks a lot, I'll wait for 2.1.1 to be released then :)
Kyoshiro
 
Posts: 20
Joined: Thu Aug 12, 2004 5:45 pm
Top
Topic locked

Return to RBAC policy development

Powered by phpBB® Forum Software © phpBB Group