Page 1 of 1

Why security hole in ACL?

PostPosted: Fri Jan 05, 2007 3:51 pm
by `VL
Currently i`m rewriting manally auto-generated ACLs(that works fine, thank you for the great job!) to reduce it`s number, use inheritance and so on.

I tried to put rules the following rule for /dev in role`s root policy
Code: Select all
/dev

which means that processes in that role can find /dev directory. As i understood from documentation, no access granted to contents of this directory(it can only be listed).
When i started gradm with such, policy it talled me that there are holes in it, because it allows access to /dev/grsec,/dev/kmem and so. But it actually doesn`t! ( or am i wrong?)

I removed /dev rule from root ACL of role and moved it to subject (bash). After this manipulation i was able to run this policy. I checked that bash can`t red /dev/grsec (ACL system doesn`t allow it, causing Permission denied message).

So, my question is: is that policy check wrong or i misunderstand something?

Thank you for attention and all the job done.

PostPosted: Sun Apr 01, 2007 6:38 am
by slimm609
where in the policy did you add it? it can be considered a security hole. paste that section of the policy and we can take a look to see what up with it.

PostPosted: Sun Apr 01, 2007 8:31 am
by `VL
I`ve published policy files here:
http://vl409.prohosts.org/

You are interested in file: http://vl409.prohosts.org/grsec/roles/root_acl

PostPosted: Sun Apr 15, 2007 10:42 am
by brant
Hello,

You should be able to resolve this with the following in your root role:

Code: Select all
...
/dev
/dev/grsec h
/dev/kmem h
/dev/mem h
/dev/port h
...


This will allow the root role to see /dev, but not allow access to those four areas, which will keep gradm from complaining. =) Hope that helps...