grsecurity forums

[`VL]

Currently i`m rewriting manally auto-generated ACLs(that works fine, thank you for the great job!) to reduce it`s number, use inheritance and so on.

I tried to put rules the following rule for /dev in role`s root policy

Code: Select all

/dev


which means that processes in that role can find /dev directory. As i understood from documentation, no access granted to contents of this directory(it can only be listed).
When i started gradm with such, policy it talled me that there are holes in it, because it allows access to /dev/grsec,/dev/kmem and so. But it actually doesn`t! ( or am i wrong?)

I removed /dev rule from root ACL of role and moved it to subject (bash). After this manipulation i was able to run this policy. I checked that bash can`t red /dev/grsec (ACL system doesn`t allow it, causing Permission denied message).

So, my question is: is that policy check wrong or i misunderstand something?

Thank you for attention and all the job done.

[slimm609]

where in the policy did you add it? it can be considered a security hole. paste that section of the policy and we can take a look to see what up with it.

[`VL]

I`ve published policy files here:
http://vl409.prohosts.org/

You are interested in file: http://vl409.prohosts.org/grsec/roles/root_acl

[brant]

Hello,

You should be able to resolve this with the following in your root role:

Code: Select all

...
/dev
/dev/grsec h
/dev/kmem h
/dev/mem h
/dev/port h
...


This will allow the root role to see /dev, but not allow access to those four areas, which will keep gradm from complaining. =) Hope that helps...