Page 1 of 1

problems with cvs-grsec2 and cvs-gradm2

PostPosted: Tue Jul 27, 2004 4:08 am
by Oscon
Hello!

I have few problems with "new" cvs-grsec2(2.4 version) and cvs-gradm2.

It seems...Debian woody 3.0r2+ linux-2.4.26 + cvs grsecurity2 (07.09) + cvs gradm2 (07.09) not work!

gradm -E = Segmentation Fault

The earlier cvs-grsec2 (06.25,06.29) and gradm2 (06.25,06.29) was "good".

PostPosted: Tue Jul 27, 2004 8:12 am
by spender
try the current gradm2. Several changes were made since 07/09.

-Brad

PostPosted: Tue Jul 27, 2004 8:52 am
by Oscon
spender wrote:try the current gradm2. Several changes were made since 07/09.

-Brad


Hello...!

I did it!, but it seems ...not work...

1. move: I download the "new" gradm2:

cvs -z3 -d :pserver:anonymous@grsecurity.net:/home/cvs co gradm2

2. move: boot the 2.4.26-grsec (grsec2.0.1 from "new" cvs at 07.23.2004 20:02, I disabled all other grsec function. (PaX, TPE, other restrictions).

3. move: make install .... (gradm 2)

4. move: set gradm passwords
It seems...OK!
Code: Select all
osconsfortress:/media/gre1/gradm2# ./gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
osconsfortress:/media/gre1/gradm2# ./gradm -P
Setting up grsecurity RBAC password
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
osconsfortress:/media/gre1/gradm2#


5. move: learnings mode on!...
It seems...OK!
Code: Select all
osconsfortress:/media/gre1/gradm2# ./gradm -F -L /etc/grsec/learning
grsec: (default:D:/media/gre1/gradm2/gradm) Loaded grsecurity 2.0.1
osconsfortress:/media/gre1/gradm2#


...
6. move.: learnings mode off:
It seems...OK!
Code: Select all
osconsfortress:/media/gre1/gradm2# ./gradm -D
Password:
grsec: shutdown auth success for /media/gre1/gradm2/gradm[gradm:1485] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:578] uid/euid:0/0 gid/egid:0/0
osconsfortress:/media/gre1/gradm2


7. move: learnings file to /etc/grsec/policy
It seems...OK!

Code: Select all
osconsfortress:/media/gre1/gradm2# ./gradm -F -L /etc/grsec/learning -O /etc/grsec/policy
Beginning full learning 1st pass...done.
Beginning full learning role reduction...done.
Beginning full learning 2nd pass...done.
Beginning full learning subject reduction for user root...done.
Beginning full learning subject reduction for user oscon...done.
Beginning full learning 3rd pass...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /bin/login...done.
Beginning full learning object reduction for subject /sbin/getty...done.
Beginning full learning object reduction for subject /sbin/init...done.
Beginning full learning object reduction for subject /usr/sbin/gpm...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning final pass...done.
osconsfortress:/media/gre1/gradm2#


8. move: verify syntax of /etc/grsec/policy
It seems...OK!

Code: Select all
osconsfortress:/media/gre1/gradm2# ./gradm -E
Duplicate role on line 236 of /etc/grsec/policy.
The RBAC system will not be allowed to be enabled until this error is fixed.


I fix this duplication...and

9. move: start grsec RBAC...failed...

Code: Select all
osconsfortress:/media/gre1/gradm2# ./gradm -E
Segmentation fault
osconsfortress:/media/gre1/gradm2#

PostPosted: Tue Jul 27, 2004 9:12 am
by spender
Can you mail your config to spender@grsecurity.net so I can debug it?

-Brad

PostPosted: Tue Jul 27, 2004 11:34 am
by Oscon
spender wrote:Can you mail your config, so I can debug it?

-Brad


I did this.. now...

Thank you!

Oscon

Same problem

PostPosted: Tue Jul 27, 2004 8:24 pm
by rocky
i'm getting the same problem. using cvs gradm2 and http://grsecurity.net/~spender/grsecuri ... .6.7.patch

this is what kern.log is spitting out.

Jul 27 18:30:34 schwa kernel: grsec: From 192.168.0.5: exec of /sbin/gradm (gradm -E ) by /bin/bash[bash:18028] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23167] uid/euid:0/0 gid/egid:0/0
Jul 27 18:30:34 schwa kernel: grsec: From 192.168.0.5: chdir to /etc/grsec by /sbin/gradm[gradm:18028] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23167] uid/euid:0/0 gid/egid:0/0
Jul 27 18:30:34 schwa kernel: grsec: From 192.168.0.5: signal 11 sent to /sbin/gradm[gradm:18028] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23167] uid/euid:0/0 gid/egid:0/0
Jul 27 18:30:34 schwa kernel: grsec: From 192.168.0.5: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /sbin/gradm[gradm:18028] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23167] uid/euid:0/0 gid/egid:0/0

PostPosted: Wed Jul 28, 2004 1:29 pm
by spender
You can't be. That log isn't a log from a 2.0.1 kernel. If it were, it would have the role name, role type, and subject name with each log.

-Brad

PostPosted: Wed Jul 28, 2004 4:13 pm
by Eien
I think the segfault is being issued before the ACLs are enabled.

Based on my reading of the security_alert_good macro in the 2.0.1 patch, the role information is only written if the ACLs have been enabled. (I'm assuming that gr_acl_is_enabled() returns non-zero when the ACLs are enabled and zero when they're not.)

Do you think an strace might help? It might be a bit too much information but it might give us the information we need.

PostPosted: Wed Jul 28, 2004 5:47 pm
by spender
You're right, sorry I didn't recognize that they weren't RBAC-related logs.

-Brad

PostPosted: Wed Jul 28, 2004 5:55 pm
by spender
The problem has been fixed in current CVS of gradm2.

-Brad