I am trying to enable the RBAC on my system.
When I do gradm -E i am getting the following error.
- Code: Select all
Reading access is allowed by role root to /lib/modules, the directory which holds kernel kernel modules. The ability to read these images provides an attacker with very useful information for launching "ret-to-libc" style attacks against the kernel.
Reading access is allowed by role root to /proc/kallsyms, a pseudo-file that holds a mapping between kernel addresses and symbols. This information is very useful to an attacker in sophisticated kernel exploits.
There were 2 holes found in your RBAC configuration. These must be fixed before the RBAC system will be allowed to be enabled.
How do I fix this problem.
In my /etc/grsec/policy file the policy specification for the root is like the following
- Code: Select all
role root uG
role_transitions admin
role_allow_ip 0.0.0.0/32
subject / {
/
/bin x
/dev h
/dev/.udev
/dev/.udev/queue.bin wd
/dev/sr0 r
/etc r
/etc/grsec h
/etc/ssh h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/var h
/var/lib/apt
/var/lib/dpkg/status
/var/run
/var/run/gdm/auth-for-root-9gNbjw/database r
/var/run/usplash.pid r
/var/spool/cron/crontabs
/lib rx
/proc r
/proc/kcore h
/proc/sys h
/proc/bus h
/proc/slabinfo h
/proc/modules h
/root
/root/.local
/root/.recently-used.xbel r
/tmp rwcd
/usr
/usr/local h
/usr/local/lib/python2.6/dist-packages
/usr/local/share
/usr/local/share/icons
/usr/share r
/usr/bin x
/usr/lib rx
/usr/src h
/sys h
/boot h
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/bash o {
/ h
/bin h
/bin/ls x
/sbin h
/sbin/reboot x
/boot
/lib
/lib/modules h
/root
/root/.bash_history ra
/usr
/usr/bin x
/usr/lib
/usr/src h
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/dash o {
/ h
/bin h
/bin/cat x
/bin/dash x
/etc h
/etc/default/rcS r
/etc/init.d/rc x
/etc/ld.so.cache r
/lib h
/lib/ld-2.10.1.so x
/lib/tls/i686/cmov/libc-2.10.1.so rx
/sbin h
/sbin/hwclock x
/sbin/usplash x
/usr h
/usr/bin/tput x
/var h
/var/run
/var/run/sendsigs.omit a
/dev
/dev/tty8 w
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/proc
/proc/kcore h
/proc/sys h
/proc/bus h
/proc/slabinfo h
/proc/modules h
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/rm o {
/ h
/bin h
/bin/rm x
/etc h
/etc/ld.so.cache r
/lib h
/lib/ld-2.10.1.so x
/lib/tls/i686/cmov/libc-2.10.1.so rx
/var h
/var/run/console
/var/run/console/root wd
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/sed o {
/ h
/bin h
/bin/sed x
/etc h
/etc/ld.so.cache r
/lib rx
/lib/modules h
/proc h
/proc/filesystems r
/var h
/var/run/console
/var/run/console/root rwcd
/var/run/console/sedA7fRKV rwcd
/selinux
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/umount o {
/ h
/bin h
/bin/umount x
/lib rx
/lib/modules h
/usr h
/usr/lib r
/etc
/etc/ld.so.cache r
/etc/locale.alias r
/etc/mtab rwcd
/etc/mtab.tmp rwcd
/etc/mtab~ wcdl
/etc/mtab~4752 wcd
/etc/grsec h
/etc/ssh h
/etc/passwd h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/root
-CAP_ALL
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /etc/init.d o {
/
/bin rxi
/etc rxi
/etc/grsec h
/etc/ssh h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/lib rxi
/lib/modules h
/root h
/root/.local
/sbin xi
/var h
/var/lib/alsa
/var/lib/alsa/asound.state rw
/var/run
/var/run/kerneloops.pid rwd
/dev
/dev/.initramfs
/dev/.initramfs/usplash_fifo w
/dev/null w
/dev/snd/controlC0 rw
/dev/tty8 rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/proc r
/proc/kcore h
/proc/sys h
/proc/bus h
/proc/slabinfo h
/proc/modules h
/usr
/usr/lib rxi
/usr/local h
/usr/local/lib/python2.6/dist-packages
/usr/sbin h
/usr/sbin/kerneloops
/usr/sbin/laptop_mode
/usr/bin xi
/usr/share r
/usr/src h
/sys h
/boot h
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
subject /sbin/hwclock o {
/ h
/dev h
/dev/rtc0 r
/etc h
/etc/ld.so.cache r
/etc/localtime r
/lib h
/lib/ld-2.10.1.so x
/lib/tls/i686/cmov/libc-2.10.1.so rx
/sbin h
/sbin/hwclock x
-CAP_ALL
+CAP_SYS_TIME
bind disabled
connect disabled
}
subject /sbin/init o {
/
/bin h
/bin/dash x
/dev h
/dev/console w
/dev/log rw
/dev/null rw
/proc
/proc/kcore h
/proc/sys h
/proc/bus h
/proc/slabinfo h
/proc/modules h
/etc/grsec h
/etc/ssh h
/etc/passwd h
/etc/shadow h
/var/backups h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/var/log h
/sys h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/boot h
/lib/modules h
/usr/src h
-CAP_ALL
+CAP_KILL
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
subject /sbin/reboot o {
user_transition_allow root
/ h
/etc h
/etc/ld.so.cache r
/etc/locale.alias r
/lib rx
/lib/modules h
/sbin h
/sbin/reboot x
/sbin/shutdown x
/usr h
/usr/lib r
/usr/share h
/usr/share/locale
/usr/share/locale-langpack
/var h
/var/run/utmp r
-CAP_ALL
+CAP_SETUID
bind disabled
connect disabled
}
subject /sbin/shutdown o {
user_transition_allow root
/
/dev h
/dev/pts w
/dev/tty7 w
/lib rx
/lib/tls h
/lib/tls/i686/cmov/libc-2.10.1.so rx
/lib/tls/i686/cmov/libpthread-2.10.1.so rx
/lib/tls/i686/cmov/librt-2.10.1.so rx
/lib/modules h
/sbin h
/sbin/shutdown x
/usr h
/usr/lib r
/usr/share h
/usr/share/locale
/usr/share/locale-langpack
/var h
/var/log/wtmp w
/var/run
/var/run/utmp rw
/etc
/etc/ld.so.cache r
/etc/locale.alias r
/etc/localtime r
/etc/grsec h
/etc/ssh h
/etc/passwd h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/proc
/proc/kcore h
/proc/sys h
/proc/bus h
/proc/slabinfo h
/proc/modules h
/sys h
/boot h
-CAP_ALL
+CAP_SETUID
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
subject /sbin/usplash o {
/ h
/dev h
/dev/.initramfs
/dev/.initramfs/usplash_fifo rw
/dev/console rw
/dev/fb0 rw
/dev/tty0 rw
/dev/tty1 rw
/dev/tty8 rw
/etc h
/etc/ld.so.cache r
/lib rx
/lib/tls h
/lib/tls/i686/cmov/libc-2.10.1.so rx
/lib/tls/i686/cmov/libdl-2.10.1.so rx
/lib/modules h
/proc h
/proc/cmdline r
/sbin h
/sbin/usplash x
/sys h
/sys/devices/pci0000:00/0000:00:02.0
/sys/devices/pci0000:00/0000:00:02.0/graphics/fb0/virtual_size r
/usr h
/usr/lib/usplash/usplash-theme-ubuntu.so rx
/var h
/var/run
/var/run/usplash.pid wc
-CAP_ALL
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
subject /usr/bin/Xorg o {
/ h
/dev/tty0 w
/dev/tty7 w
/tmp wd
/var/run/gdm/auth-for-gdm-8zWy3u/database
-CAP_ALL
+CAP_CHOWN
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
subject /usr/bin/gedit o {
/
/etc h
/etc/ld.so.cache r
/etc/locale.alias r
/etc/nsswitch.conf r
/etc/passwd r
/lib rx
/lib/modules h
/proc h
/proc/filesystems r
/var h
/var/run
/var/run/gdm/auth-for-root-9gNbjw/database r
/home
/home/karthik
/home/karthik/tutorial
/home/karthik/tutorial/applicationspecificsettings6 rw
/home/karthik/tutorial/gradm r
/root rwcd
/root/.local h
/root/.local/share
/root/.config
/root/.themes
/tmp rw
/usr
/usr/bin h
/usr/bin/gedit x
/usr/lib rx
/usr/local h
/usr/local/share
/usr/local/share/icons
/usr/share r
/usr/src h
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/sys h
/boot h
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/bin/nautilus o {
/ h
/dev h
/dev/null r
/etc h
/etc/gnome/defaults.list
/etc/localtime
/home h
/home/karthik/tutorial/applicationspecificsettings6
/usr h
/usr/bin h
/usr/bin/gedit x
/usr/local h
/usr/local/share
/usr/local/share/applications
/usr/local/share/icons
/usr/share r
/proc
/proc/kcore h
/proc/sys h
/proc/bus h
/proc/slabinfo h
/proc/modules h
/root rwcd
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/bin/seahorse-daemon o {
/ h
/dev/log rw
/tmp rwd
/usr/share/locale
/usr/share/locale-langpack
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/bin/vim.tiny o {
/ h
/boot h
/boot/grub
/boot/grub/.grub.cfg.swp rwcd
/boot/grub/.grub.cfg.swx rwcd
/boot/grub/grub.cfg rw
/boot/grub/grub.cfz~ wcd
/etc rwcd
/etc/ssh h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/lib rx
/lib/modules h
/proc h
/proc/filesystems r
/usr h
/usr/bin/vim.tiny x
/usr/lib r
/usr/share/vim
/var h
/var/run
/root r
/selinux
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/lib/bonobo-activation/bonobo-activation-server o {
/
/dev h
/dev/log rw
/dev/null rw
/dev/urandom r
/etc r
/etc/bonobo-activation h
/etc/bonobo-activation/bonobo-activation-config.xml r
/etc/grsec h
/etc/ssh h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/lib rx
/lib/modules h
/usr h
/usr/lib rx
/usr/share h
/usr/share/locale
/usr/share/locale-langpack
/var h
/var/run
/tmp rwcd
/proc/kcore h
/proc/sys h
/proc/bus h
/proc/slabinfo h
/proc/modules h
/sys h
/boot h
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/lib/gdm/gdm-simple-slave o {
/ h
/tmp
/var/log/wtmp w
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/lib/gvfs/gvfs-fuse-daemon o {
user_transition_allow root
/ h
/bin/umount x
/etc/ld.so.cache r
/etc/mtab
/lib/libgcc_s.so.1 rx
-CAP_ALL
+CAP_SETUID
bind disabled
connect disabled
}
subject /usr/lib/libgconf2-4/gconfd-2 o {
/ h
/root
/root/.gconfd
/root/.gconfd/saved_state rwcd
/root/.gconfd/saved_state.orig rwcd
/root/.gconfd/saved_state.tmp rwcd
/tmp wd
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/lib/libvte9/gnome-pty-helper o {
/ h
/var/log/wtmp w
/var/run/utmp rw
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/sbin/NetworkManager o {
/ h
/dev/log rw
/var/run
/var/run/NetworkManager.pid wd
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/sbin/acpid o {
/ h
/dev/console w
/dev/log rw
-CAP_ALL
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
subject /usr/sbin/console-kit-daemon o {
/ h
/dev h
/dev/log rw
/dev/null r
/etc h
/etc/ConsoleKit/run-session.d
/lib h
/lib/udev/udev-acl x
/usr h
/usr/lib/ConsoleKit/run-session.d
/usr/lib/ConsoleKit/run-session.d/pam-foreground-compat.ck x
/proc
/proc/kcore h
/proc/sys h
/proc/bus h
/proc/slabinfo h
/proc/modules h
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/sbin/gdm-binary o {
/ h
/var/run wd
/var/run/gdm
/var/run/gdm/auth-for-gdm-8zWy3u wd
/var/run/gdm/auth-for-root-9gNbjw wd
-CAP_ALL
+CAP_FOWNER
bind disabled
connect disabled
}
subject /usr/sbin/modem-manager o {
/ h
/dev/console w
/dev/log rw
-CAP_ALL
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
}
