gradm generates policy with symlinks
gradm -C complaints
Warning: object does not exist in role root, subject /bin/uname for the target of the symlink object /usr/src specified on line 2745 of /etc/grsec/policy
gradm should probably use target of symlink instead of symlink
object does not exist in role
3 posts
• Page 1 of 1
object does not exist in role
by KDE » Fri Jul 20, 2012 6:55 am
- KDE
- Posts: 57
- Joined: Sat Feb 09, 2008 5:29 am
Re: object does not exist in role
by spender » Fri Jul 20, 2012 11:35 am
It shouldn't, since RBAC can place a policy on any symlink, thus an unprivileged user could cause RBAC to make a file that should normally be inaccessible under RBAC, accessible. This is also why this is only a warning and not an error, to prevent an unprivileged user from preventing RBAC from enabling on startup due to such an error.
If the symlink was followed during learning, then an object for the target was created at some point that may have been reduced. The warning can be ignored or fixed easily in such a case. If you're creating policy yourself then you're responsible for creating the appropriate target objects.
-Brad
If the symlink was followed during learning, then an object for the target was created at some point that may have been reduced. The warning can be ignored or fixed easily in such a case. If you're creating policy yourself then you're responsible for creating the appropriate target objects.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: object does not exist in role
by KDE » Fri Jul 20, 2012 1:39 pm
If someone created symlink to hidden directory and tried to access it RBAC could follow symlink and check target of symlink against policy and deny access.
- KDE
- Posts: 57
- Joined: Sat Feb 09, 2008 5:29 am
3 posts
• Page 1 of 1