Page 1 of 1

object does not exist in role

PostPosted: Fri Jul 20, 2012 6:55 am
by KDE
gradm generates policy with symlinks
gradm -C complaints

Warning: object does not exist in role root, subject /bin/uname for the target of the symlink object /usr/src specified on line 2745 of /etc/grsec/policy

gradm should probably use target of symlink instead of symlink

Re: object does not exist in role

PostPosted: Fri Jul 20, 2012 11:35 am
by spender
It shouldn't, since RBAC can place a policy on any symlink, thus an unprivileged user could cause RBAC to make a file that should normally be inaccessible under RBAC, accessible. This is also why this is only a warning and not an error, to prevent an unprivileged user from preventing RBAC from enabling on startup due to such an error.
If the symlink was followed during learning, then an object for the target was created at some point that may have been reduced. The warning can be ignored or fixed easily in such a case. If you're creating policy yourself then you're responsible for creating the appropriate target objects.

-Brad

Re: object does not exist in role

PostPosted: Fri Jul 20, 2012 1:39 pm
by KDE
If someone created symlink to hidden directory and tried to access it RBAC could follow symlink and check target of symlink against policy and deny access.