Installing IPF on Trusted Solaris
I am trying to install and get running the IPF package on Trusted Solaris. The packages (ipfx and ipf) seem to install fine and even run on boot however I can not run some of the support commands like ipfstat
When I run ipfstat I get an error cannot open /dev/kmem. Reading throught he manuals I thought I needed to add some privledges to the application. so I ran the following
setfpriv -s -a all /usr/sbin/ipfstat
and verified it with
getfpriv /usr/sbin/ipfstat
however the behavior did not change.
This seems to be a Security Level issue because booting into single user mode allows the ipfstat application to run fine. Does any one have any ideas as to how I can get the ipfstat application to run?
[752 byte] By [
gallogjj] at [2007-11-25 23:04:43]
# 1
You've only set the allowed privilege set on the binary. That means that the binary will be able to inherit those privileges, but will not always be given them. You'll need to either execute it with a role that has those privileges (given to it through a rights profile) or force the privileges on the binary. Use -f instead of -a on setfpriv. See here for a discussion of how to force privileges :
<a href="http://docs.sun.com/app/docs/doc/805-8120-10/6j7kqn69m?a=view" target="_blank"> http://docs.sun.com/app/docs/doc/805-8120-10/6j7kqn69m?a=vie w</a>
# 2
Thanks for the quick response.I tried running with forced privledges set to 'all' for the binary as well and still had the same behavior.I also tried running as root, secadmin, and admin. I still see the same behaviors.Any other ideas?
# 3
Try running the program using runpd. Here's a link discussing it's usage:
<a href="http://docs.sun.com/app/docs/doc/816-1048/6m7gaddjj?a=view" target="_blank">http://docs.sun.com/app/docs/doc/816-1048/6m7gaddjj?a=view&l t;/a>
And here's another discussing how to enable it:
<a href="http://docs.sun.com/app/docs/doc/816-1048/6m7gaddjm?a=view#manageprogramp rivileges-42" target="_blank"> http://docs.sun.com/app/docs/doc/816-1048/6m7gaddjm?a=view#m anageprogramprivileges-42</a>
That should give you a listing of the other privileges you may need to assign(in case ipfstat is executing something else).
You could also do a "getlabel /dev/kmem" and ensure that you are running at the correct label to access it. I doubt this is the problem though, since when you forced all privileges on the binary, you would have added file_mac_read and file_mac_write to the binary which should override any labelling issues.
