gradm: role root can view /etc/grsec; me: cannot!
Posted: Wed Nov 15, 2006 3:43 pmI am having problems configuring my first grsec RBAC policy. I have used full learning mode to generate the policy, edited it in a few places, but cannot use it due to the following error:
I have looked everywhere in the policy for evidence of this, but cannot find the ACL it is referring to (I admittedly don't understand the configuration syntax very well). Here is a grep of the file for references to /etc/grsec:
Every reference to that directory has the hidden flag, and no read/write flag, so I am not sure why I am getting this message. Here is the beginning of my policy:
Any help would be greatly appreciated.
- Code: Select all
achilles grsec # gradm -E
Viewing access is allowed by role root to /etc/grsec, the directory which stores RBAC policies and RBAC password information.
There were 1 holes found in your RBAC configuration. These must be fixed before the RBAC system will be allowed to be enabled.
I have looked everywhere in the policy for evidence of this, but cannot find the ACL it is referring to (I admittedly don't understand the configuration syntax very well). Here is a grep of the file for references to /etc/grsec:
- Code: Select all
achilles grsec # grep /etc/grsec policy
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
/etc/grsec h
Every reference to that directory has the hidden flag, and no read/write flag, so I am not sure why I am getting this message. Here is the beginning of my policy:
- Code: Select all
role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}
role root uG
role_allow_ip 0.0.0.0/32
role_allow_ip 10.2.0.241/32
subject / {
/
/lib rx
/bin x
/dev
/dev/null rw
/dev/tty rw
/dev/urandom r
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/etc rx
/etc/ssh h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/proc r
/proc/kcore h
/proc/bus h
/usr
/usr/i686-pc-linux-gnu h
/usr/i686-pc-linux-gnu/binutils-bin/2.16.1/strings x
/usr/i686-pc-linux-gnu/gcc-bin/3.3/gcc x
/usr/sbin h
/usr/sbin/run-crons r
/usr/sbin/syslog-ng
/usr/bin rx
/usr/include r
/usr/lib rx
/usr/share r
/var
/var/spool h
/var/spool/cron h
/var/spool/cron/lastrun
/var/cache
/var/cache/edb
/var/tmp r
/sys h
-CAP_ALL
bind disabled
connect disabled
}
...
Any help would be greatly appreciated.