grsecurity forums


http://forums.grsecurity.net./

ok then 2.0 is out but...

http://forums.grsecurity.net./viewtopic.php?f=5&t=777

Page 1 of 1

ok then 2.0 is out but...

PostPosted: Sat Apr 17, 2004 10:44 am
by buzzzo
The 1.9.x release will be available with the future release of kernels...or it is
death ?

thx & bye

Re: ok then 2.0 is out but...

PostPosted: Sat Apr 17, 2004 11:37 am
by hightower
buzzzo wrote:The 1.9.x release will be available with the future release of kernels...or it is
death ?


1.9.x will be deleted within the next few months. Brad will probably fix important bugs, but yes, it'll be dead soon. Depends, if there will be another one for 2.4.27, depends when 2.4.27 will become available ;)

Anyway, you all should move to grsec2.

ciao, Marc

PostPosted: Sat Apr 17, 2004 1:56 pm
by buzzzo
Mmmm ..problably this is not good for who has a lot of grsec 1.9.x in production ...anyway seems the full learning mode of 2.0 very good .....

the lack of acl 2.0 docs i think is the biggest problem for who (like me) has
written 1.9.x acl .

Thx and Ciao.

PostPosted: Sun Apr 18, 2004 11:48 am
by systemv
does my 1.9.x config works on 2.0 without modification?

PostPosted: Sun Apr 18, 2004 2:38 pm
by spender
it will work with very minimal modifications. To convert your 1.9 acl to a 2.0 ruleset, follow these rules:

add an admin role at the top of /etc/grsec/acl:

Code: Select all
role admin sA
subject / r
           / rwcdmxi


Then add a default role, which will encompass all your 1.9 subjects:

Code: Select all
role default G
role_transitions admin


In 2.0, the { }'s enclosing the object definitions are not necessary, but "subject" needs to come before the pathname for the subject.
So a subject would look like:

Code: Select all
subject /bin/su
           /tmp/blah rw
           +CAP_SETUID


You also don't group together connect and bind rules with { }'s. They are now done with one connect or bind rule per line, like so:

Code: Select all
connect 192.168.1.0/24:22 stream tcp
connect 192.168.2.0/24:20-21 stream tcp
bind    0.0.0.0 stream dgram tcp udp


Additionally, since grsecurity 2.0 supports more fine grained object permissions, if a process needs to create a file, then the object needs "c" added to its object mode in addition to "w". If a process needs to delete a file, then the object needs "d" added to its object mode in addition to "w".

That's all there is to it. Except for the creation/deletion it's just formatting changes.

-Brad

PostPosted: Tue Apr 20, 2004 9:22 am
by olrick
I followed the rules you gave to convert my 1.9 ACL into the 2.0 format and it didn't work.
As soon as I enable grsec with Gradm -E my CPU reach 100% and I get these messages in syslog :
Code: Select all
kernel: Cannot read proc file system: 1 - Operation not permitted.
last message repeated 152695 times

I tried with the default "acl" file that comes with the gradm installation, but it gives exactly the same problem.
Any idea ?
Thanks a lot
Regards
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/