grsecurity forums

[Oscon]

Hello!

I have few problems with "new" cvs-grsec2(2.4 version) and cvs-gradm2.

It seems...Debian woody 3.0r2+ linux-2.4.26 + cvs grsecurity2 (07.09) + cvs gradm2 (07.09) not work!

gradm -E = Segmentation Fault

The earlier cvs-grsec2 (06.25,06.29) and gradm2 (06.25,06.29) was "good".

[spender]

try the current gradm2. Several changes were made since 07/09.

-Brad

[Oscon]

try the current gradm2. Several changes were made since 07/09.

-Brad

Hello...!

I did it!, but it seems ...not work...

1. move: I download the "new" gradm2:

cvs -z3 -d :pserver:anonymous@grsecurity.net:/home/cvs co gradm2

2. move: boot the 2.4.26-grsec (grsec2.0.1 from "new" cvs at 07.23.2004 20:02, I disabled all other grsec function. (PaX, TPE, other restrictions).

3. move: make install .... (gradm 2)

4. move: set gradm passwords
It seems...OK!

Code: Select all

osconsfortress:/media/gre1/gradm2# ./gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
osconsfortress:/media/gre1/gradm2# ./gradm -P
Setting up grsecurity RBAC password
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
osconsfortress:/media/gre1/gradm2#

5. move: learnings mode on!...
It seems...OK!

Code: Select all

osconsfortress:/media/gre1/gradm2# ./gradm -F -L /etc/grsec/learning
grsec: (default:D:/media/gre1/gradm2/gradm) Loaded grsecurity 2.0.1
osconsfortress:/media/gre1/gradm2#


...
6. move.: learnings mode off:
It seems...OK!

Code: Select all

osconsfortress:/media/gre1/gradm2# ./gradm -D
Password:
grsec: shutdown auth success for /media/gre1/gradm2/gradm[gradm:1485] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:578] uid/euid:0/0 gid/egid:0/0
osconsfortress:/media/gre1/gradm2


7. move: learnings file to /etc/grsec/policy
It seems...OK!

Code: Select all

osconsfortress:/media/gre1/gradm2# ./gradm -F -L /etc/grsec/learning -O /etc/grsec/policy
Beginning full learning 1st pass...done.
Beginning full learning role reduction...done.
Beginning full learning 2nd pass...done.
Beginning full learning subject reduction for user root...done.
Beginning full learning subject reduction for user oscon...done.
Beginning full learning 3rd pass...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /bin/login...done.
Beginning full learning object reduction for subject /sbin/getty...done.
Beginning full learning object reduction for subject /sbin/init...done.
Beginning full learning object reduction for subject /usr/sbin/gpm...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning final pass...done.
osconsfortress:/media/gre1/gradm2#

8. move: verify syntax of /etc/grsec/policy
It seems...OK!

Code: Select all

osconsfortress:/media/gre1/gradm2# ./gradm -E
Duplicate role on line 236 of /etc/grsec/policy.
The RBAC system will not be allowed to be enabled until this error is fixed.


I fix this duplication...and

9. move: start grsec RBAC...failed...

Code: Select all

osconsfortress:/media/gre1/gradm2# ./gradm -E
Segmentation fault
osconsfortress:/media/gre1/gradm2#

[spender]

Can you mail your config to spender@grsecurity.net so I can debug it?

-Brad

[Oscon]

Can you mail your config, so I can debug it?

-Brad

I did this.. now...

Thank you!

Oscon

[rocky]

i'm getting the same problem. using cvs gradm2 and http://grsecurity.net/~spender/grsecuri ... .6.7.patch

this is what kern.log is spitting out.

Jul 27 18:30:34 schwa kernel: grsec: From 192.168.0.5: exec of /sbin/gradm (gradm -E ) by /bin/bash[bash:18028] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23167] uid/euid:0/0 gid/egid:0/0
Jul 27 18:30:34 schwa kernel: grsec: From 192.168.0.5: chdir to /etc/grsec by /sbin/gradm[gradm:18028] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23167] uid/euid:0/0 gid/egid:0/0
Jul 27 18:30:34 schwa kernel: grsec: From 192.168.0.5: signal 11 sent to /sbin/gradm[gradm:18028] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23167] uid/euid:0/0 gid/egid:0/0
Jul 27 18:30:34 schwa kernel: grsec: From 192.168.0.5: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /sbin/gradm[gradm:18028] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23167] uid/euid:0/0 gid/egid:0/0

[spender]

You can't be. That log isn't a log from a 2.0.1 kernel. If it were, it would have the role name, role type, and subject name with each log.

-Brad

[Eien]

I think the segfault is being issued before the ACLs are enabled.

Based on my reading of the security_alert_good macro in the 2.0.1 patch, the role information is only written if the ACLs have been enabled. (I'm assuming that gr_acl_is_enabled() returns non-zero when the ACLs are enabled and zero when they're not.)

Do you think an strace might help? It might be a bit too much information but it might give us the information we need.

[spender]

You're right, sorry I didn't recognize that they weren't RBAC-related logs.

-Brad

[spender]

The problem has been fixed in current CVS of gradm2.

-Brad