Gauresh Badve(deleted)
|
'dumper' running on non-root does not work without secpogenerate
|
Gauresh Badve(deleted)
06/27/2019 9:59 AM
post119767
|
'dumper' running on non-root does not work without secpogenerate
Let me explain my scenario:
Version : QNX 7.0.0
I am using secpolgenerate utility to generate security policy for the dumper. The secpolgenerate observes all the
behavior of the dumper and creates a policy file at /dev/secpolgenerate/policy.
The command I used for secpolgenerate:
'secpolgenerate -u -t 100'
I start the dumper using command:
on -T dumper_t /proc/boot/dumper -U 112 ( Here 112 is the user id on which I want the dumper to run and dumper_t is the
type defined for dumper in the security policy file )
The "pidin ar" command shows the dumper running with user id - 112 and also the policy file generated in location /dev/
secpolgenerate/policy shows all the abilities the type dumper_t require to run the dumper.
The same generated policy( at /dev/secpolgenerate/policy) is added into the security policy document. The new security
policy document is compiled using secpolcompile utility and the binary of the security policy is added into /proc/boot/
secpol.bin.
This time I do not run the command 'secpolgenerate -u -t 100' and run the dumper "on -T dumper_t /proc/boot/dumper -U
112".
Now the "pidin ar" command does not show the dumper running.
I believe the secpolgenerate utility generate all the abilities require by the dumper to run. But with the same
abilities I don't see the dumper running on non-root i.e. /proc/boot/dumper -U 112 when we disable the command
'secpolgenerate -u -t 100'.
|
|
|