Unable to disable RBAC

Submit your RBAC policies or suggest policy improvements

Unable to disable RBAC

Postby emostar » Thu Apr 27, 2006 7:57 pm

Hello,

I have setup a policy that I thought was decent enough to finally test out.. however, even after I authenticate to admin, I cannot disable RBAC. I run the command 'gradm -a admin' enter the password and it accpets it.

But from that, if I run 'gradm -S' it doesn't show anything... but worse is 'gradm -D' asks for the password, and never accepts it. When I run in full learning mode, it takes the password to disable it... but I see this in the learning log:

default 68 0 0 /bin/bash / 1 1 /sbin/gradm 16 192.168.0.100
default 68 0 0 /bin/bash / 1 1 /sbin/gradm 8 192.168.0.100

When I create a policy from the learning log, it doesn't do anything with /sbin/gradm.

So, it seems that my policy is missing something.. but I don't know what. Can anyone tell me what the above excerpt means?
emostar
 
Posts: 7
Joined: Mon Apr 24, 2006 11:09 pm

Postby Thrawn » Fri Apr 28, 2006 12:17 am

I just post the beginning of one of my policies ...

role admin sA
subject / rvka
/ rwcdmlxi

role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}

role root uG
role_transitions admin
...
...
...
Thrawn
 
Posts: 35
Joined: Wed Nov 23, 2005 9:54 am

Postby emostar » Fri Apr 28, 2006 2:28 am

Thanks for the reply.. I tried yours and it still shows up in the learning log.. here is the beginning of my policy:

role admin sA
subject / {
/ rwcdmlxi
+CAP_ALL
}

role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}

role root uG
role_allow_ip 0.0.0.0/32
role_allow_ip 192.168.0.100/32
role_transitions admin
emostar
 
Posts: 7
Joined: Mon Apr 24, 2006 11:09 pm

Postby spender » Sat Apr 29, 2006 10:35 am

your admin role needs to have the "a" flag for the / subject., otherwise you can't use the admin role to disable the RBAC system (since the "a" flag is needed to use gradm).

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby emostar » Mon May 01, 2006 7:13 am

Thanks! That got me working now. :D
emostar
 
Posts: 7
Joined: Mon Apr 24, 2006 11:09 pm

Postby brant » Thu May 04, 2006 12:00 am

1 of 1 lurkers found this post helpful =)
brant
 
Posts: 9
Joined: Fri Feb 03, 2006 2:35 am


Return to RBAC policy development

cron