grsecurity forums

by **timbgo** » Fri Feb 17, 2017 2:25 pm

current title: Libvirt virtualization policies
---
I've been trying to deploy policies for libvirtd, qemu, virsh, virt-install and other virtualization programs and this is my third try, in which I finally think I'm getting it right.

I'd like to post how I did it, with lots of detail. Because just to get to the right learning settings it took me a lot of time, and while I might benefit if more advanced grsecurity users review my policies and correct me, it is also likely that newbies can benefit from the polices that I will eventually post, as I believe I'm finally doing it right.

It'll be a few posts.

First, this is how I arrived at the learning polices to set. I'll just diff, consecutively, /etc/grsec/policy files of the fime (I always back up policies, work on the copied back up, and only then substutute the new policy into /etc/grsec/policy.)

EDIT START Sun 26 Feb 21:33:55 CET 2017 :
Before you continue reading this very post, let me update. I have improved my method of posting diffs, and you are likely to get much more readable same content as this same post over at a later post:

( this same topic )
viewtopic.php?f=5&t=4675&p=16997#p16997

I'm leaving the below in case I have made mistakes in my new post linked above.
EDIT END
---
The command that I used:

Code: Select all: # rm -pv j_TMP ; for i in $(ls -1 /mnt/H0214_g0n-r/root/ | grep grsec_170|grep -Ev 'grsec_1702\.d|\.tar|HERE'); do if [ -e "/mnt/H0214_g0n-r/root/$j" ]; then j=$(cat j_TMP); ls -ld /mnt/H0214_g0n-r/root/$j /mnt/H0214_g0n-r/root/$i ; echo diff /mnt/H0214_g0n-r/root/$j /mnt/H0214_g0n-r/root/$i ; echo diff /mnt/H0214_g0n-r/root/$j /mnt/H0214_g0n-r/root/$i ; echo >>/Cmn/m/B/Virt_170215/grsec_list_CMD.txt; diff -u35 /mnt/H0214_g0n-r/root/$j /mnt/H0214_g0n-r/root/$i >>/Cmn/m/B/Virt_170215/grsec_list_CMD.txt ; echo "--------------------" >> /Cmn/m/B/Virt_170215/grsec_list_CMD.txt ; fi; echo $i > j_TMP; cat j_TMP; read FAKE; done ;

BTW, I have finally fully understood and started applying PaX Team's advice that he gave me over at Gentoo Bugzilla:
https://bugs.gentoo.org/show_bug.cgi?id=597554#c24

(I'm just not very fast to learn ;-)

)

And that command above got me:

Code: Select all: -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_01 2017-02-11 12:15:13.245601630 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_02 2017-02-11 12:20:29.643602579 +0100 @@ -3183,70 +3183,71 @@ /usr/bin/vim x /usr/lib64 rx /usr/local h /usr/local/bin rwcd /usr/portage rw /usr/share r /usr/src h /var /var/lib/portage /var/lib/portage/world rw /var/log rw -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH +CAP_FOWNER +CAP_FSETID bind disabled connect disabled # Role: root subject /usr/bin/virsh o / h /dev h /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/libvirt r /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/openssl.cnf r + /home/miro r /lib64 rx /lib64/modules h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /root rwcd /run h /run/libvirt rw /usr h /usr/bin h /usr/bin/virsh rx /usr/lib64 rx /usr/share h /usr/share/locale r /usr/share/terminfo r -CAP_ALL +CAP_DAC_OVERRIDE bind disabled connect disabled sock_allow_family unix inet ipv6 # Role: root subject /usr/bin/wget o / h /dev h /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_02 2017-02-11 12:20:29.643602579 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_03 2017-02-11 12:39:48.523606053 +0100 @@ -3681,88 +3681,92 @@ /root r /tmp rwcd /usr/sbin/crond rx /usr h /usr/sbin/sendmail x /var h /var/spool/cron rwd -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_SETGID +CAP_SETUID +CAP_SYS_ADMIN bind disabled connect disabled sock_allow_family unix inet # Role: root subject /usr/sbin/gpm o / h /dev/input/mice rw /dev h /dev/tty* rw -CAP_ALL +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root subject /usr/sbin/libvirtd o / h /dev h /dev/net/tun rw /dev/null rw + /dev/urandom r /etc h /etc/group r /etc/libvirt r /etc/passwd r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /run h /run/libvirt wd /sbin h /sbin/xtables-multi x /sys h /sys/devices/system/cpu/online r /usr h + /usr/bin + /usr/bin/qemu-system-x86_64 x + /usr/sbin /usr/sbin/libvirtd rx -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_NET_ADMIN +CAP_NET_RAW bind disabled connect disabled sock_allow_family unix inet netlink packet # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /root /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/logrotate rx /var h /var/lib rwcd /var/log rwcd -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_03 2017-02-11 12:39:48.523606053 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_04 2017-02-11 12:54:21.220608669 +0100 @@ -3704,70 +3704,71 @@ -CAP_ALL +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root subject /usr/sbin/libvirtd o / h /dev h /dev/net/tun rw /dev/null rw /dev/urandom r /etc h /etc/group r /etc/libvirt r /etc/passwd r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /run h /run/libvirt wd /sbin h /sbin/xtables-multi x /sys h /sys/devices/system/cpu/online r /usr h /usr/bin /usr/bin/qemu-system-x86_64 x /usr/sbin /usr/sbin/libvirtd rx + /var/cache/libvirt rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_NET_ADMIN +CAP_NET_RAW bind disabled connect disabled sock_allow_family unix inet netlink packet # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /root /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/logrotate rx /var h /var/lib rwcd /var/log rwcd -CAP_ALL -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_04 2017-02-11 12:54:21.220608669 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_05-l 2017-02-11 14:11:20.533622517 +0100 @@ -3676,70 +3676,72 @@ /etc/group r /etc/localtime r /etc/passwd r /proc h /proc/sys/kernel/ngroups_max r /root r /tmp rwcd /usr/sbin/crond rx /usr h /usr/sbin/sendmail x /var h /var/spool/cron rwd -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_SETGID +CAP_SETUID +CAP_SYS_ADMIN bind disabled connect disabled sock_allow_family unix inet # Role: root subject /usr/sbin/gpm o / h /dev/input/mice rw /dev h /dev/tty* rw -CAP_ALL +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu subject /usr/sbin/libvirtd o / h /dev h /dev/net/tun rw /dev/null rw /dev/urandom r /etc h /etc/group r /etc/libvirt r /etc/passwd r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /run h /run/libvirt wd /sbin h /sbin/xtables-multi x /sys h /sys/devices/system/cpu/online r /usr h /usr/bin /usr/bin/qemu-system-x86_64 x /usr/sbin /usr/sbin/libvirtd rx /var/cache/libvirt rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_NET_ADMIN +CAP_NET_RAW bind disabled @@ -4518,70 +4520,74 @@ /etc/gai.conf r /etc/hosts r /etc/localtime r /etc/resolv.conf r /run h /run/clamav/clamd.sock rw /var h /var/lib/clamav rwcd /var/log/clamav rwc -CAP_ALL bind 0.0.0.0/32:0 dgram ip connect 0.0.0.0/0:53 dgram udp connect 127.0.0.1/32:53 dgram udp connect 193.92.150.194/32:80 stream dgram tcp udp connect 195.222.33.229/32:80 stream dgram tcp udp connect 192.168.1.1/32:53 dgram udp sock_allow_family netlink # Role: clamav subject /usr/sbin/clamd o / h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /var/lib/clamav r /var/log/clamav /var/log/clamav/clamd.log a -CAP_ALL bind disabled connect disabled +role kvm gl + +role libvirt gl + role mysql u #role_allow_ip 0.0.0.0/32 user_transition_allow root group_transition_allow root # Role: mysql subject / / h -CAP_ALL bind disabled connect disabled # Role: mysql subject /usr/sbin/mysqld o user_transition_allow root mysql nobody group_transition_allow root mysql nobody / h /sys/devices/system/cpu/online r /tmp rwcd /usr/sbin/mysqld rx /var/lib/mysql rwcd # /var/lib/mysql/performance_schema # /var/lib/mysql/performance_schema/db.opt r -CAP_ALL bind 127.0.0.1/32:3306 stream tcp connect disabled role postfix u role_allow_ip 0.0.0.0/32 user_transition_allow root group_transition_allow root # Role: postfix subject / / h /dev/urandom r /etc/localtime @@ -4618,70 +4624,74 @@ /proc h /proc/sys/kernel/ngroups_max r /root /root/Maildir rwcdl /sys h /sys/devices/system/cpu/online r /usr h /usr/lib64 rx /usr/libexec x /var h /var/lib/postfix rwcd /var/spool/postfix rwcdl /var/tmp -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_SETGID +CAP_SETUID bind 0.0.0.0/32:0 ip dgram stream tcp udp connect 127.0.0.1/32 ip dgram stream tcp udp connect 192.168.1.1/32:53 dgram udp connect 195.29.150.0/24 ip dgram stream tcp udp connect 178.218.165.68/32 ip dgram stream tcp udp sock_allow_family all # Role: postfix subject /usr/sbin/postsuper o user_transition_allow root group_transition_allow root / h /var/spool/postfix wd -CAP_ALL bind disabled connect disabled +role qemu ul +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu + role tcpdump u subject / o / h -CAP_ALL bind disabled connect disabled # Role: tcpdump subject /usr/sbin/tcpdump o user_transition_allow miro root nobody tcpdump group_transition_allow miro root nobody tcpdump / h /Cmn rwc /etc h /etc/host.conf r /etc/hosts r /etc/ld.so.cache r /etc/resolv.conf r /lib64 h /lib64/libnss_dns-2.23.so rx /lib64/libresolv-2.23.so rx /lib64/libresolv.so.2 rx /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /usr h /usr/sbin/tcpdump rx -CAP_ALL +CAP_DAC_OVERRIDE bind 0.0.0.0/32:0 dgram ip connect 127.0.0.1/32:53 dgram udp -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_05-l 2017-02-11 14:11:20.533622517 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_06-l 2017-02-11 14:15:30.337623266 +0100 @@ -4521,72 +4521,76 @@ /etc/hosts r /etc/localtime r /etc/resolv.conf r /run h /run/clamav/clamd.sock rw /var h /var/lib/clamav rwcd /var/log/clamav rwc -CAP_ALL bind 0.0.0.0/32:0 dgram ip connect 0.0.0.0/0:53 dgram udp connect 127.0.0.1/32:53 dgram udp connect 193.92.150.194/32:80 stream dgram tcp udp connect 195.222.33.229/32:80 stream dgram tcp udp connect 192.168.1.1/32:53 dgram udp sock_allow_family netlink # Role: clamav subject /usr/sbin/clamd o / h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /var/lib/clamav r /var/log/clamav /var/log/clamav/clamd.log a -CAP_ALL bind disabled connect disabled role kvm gl +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu role libvirt gl +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu role mysql u #role_allow_ip 0.0.0.0/32 user_transition_allow root group_transition_allow root # Role: mysql subject / / h -CAP_ALL bind disabled connect disabled # Role: mysql subject /usr/sbin/mysqld o user_transition_allow root mysql nobody group_transition_allow root mysql nobody / h /sys/devices/system/cpu/online r /tmp rwcd /usr/sbin/mysqld rx /var/lib/mysql rwcd # /var/lib/mysql/performance_schema # /var/lib/mysql/performance_schema/db.opt r -CAP_ALL bind 127.0.0.1/32:3306 stream tcp connect disabled role postfix u role_allow_ip 0.0.0.0/32 user_transition_allow root group_transition_allow root # Role: postfix subject / / h /dev/urandom r -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_06-l 2017-02-11 14:15:30.337623266 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_07-l 2017-02-11 15:35:09.099637592 +0100 @@ -578,72 +578,72 @@ /usr/lib64/locale/locale-archive r /usr/portage wd -CAP_ALL bind disabled connect disabled # Role: portage subject /usr/bin/wget o / h /dev h /dev/urandom r /etc h /etc/ld.so.cache r /etc/localtime r /etc/wgetrc r /lib64 rx /lib64/modules h /usr h /usr/bin h /usr/bin/wget x /usr/lib64 rx /usr/portage wc /var h /var/log/portage_logs /var/log/portage_logs/wget-fetch.log a -CAP_ALL bind disabled connect 192.168.2.0/24:80 stream tcp connect 192.168.3.0/24:80 stream tcp role root uG role_transitions admin shutdown role_allow_ip 192.168.2.0/24 role_allow_ip 192.168.3.0/24 role_allow_ip 0.0.0.0/32 -user_transition_allow apache miro tcpdump -group_transition_allow apache miro tcpdump +user_transition_allow apache miro tcpdump qemu +group_transition_allow apache miro tcpdump kvm libvirt qemu # Role: root subject / / h /Cmn r /Cmn/Kaff rwxcd /Cmn/MyVideos rwxcd /Cmn/dLo rwxcd /Cmn/gX* rwxcd /Cmn/m* rwxcd /bin rx /sbin rx /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null rw /dev/port h /dev/tty rw /dev/urandom r /etc rx /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /export h /export/data /export/home /home h /home/miro rx /lib64 rx /lib64/firmware h /lib64/firmware/radeon -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_07-l 2017-02-11 15:35:09.099637592 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_08-l 2017-02-11 15:43:59.647639183 +0100 @@ -3712,70 +3712,72 @@ group_transition_allow root kvm libvirt qemu subject /usr/sbin/libvirtd o / h /dev h /dev/net/tun rw /dev/null rw /dev/urandom r /etc h /etc/group r /etc/libvirt r /etc/passwd r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /run h /run/libvirt wd /sbin h /sbin/xtables-multi x /sys h /sys/devices/system/cpu/online r /usr h /usr/bin /usr/bin/qemu-system-x86_64 x /usr/sbin /usr/sbin/libvirtd rx /var/cache/libvirt rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_NET_ADMIN +CAP_NET_RAW + +CAP_SETGID + +CAP_DAC_OVERRIDE bind disabled connect disabled sock_allow_family unix inet netlink packet # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /root /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/logrotate rx /var h /var/lib rwcd /var/log rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID bind disabled connect disabled -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_08-l 2017-02-11 15:43:59.647639183 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_09-l 2017-02-11 15:50:22.619640331 +0100 @@ -3712,70 +3712,71 @@ group_transition_allow root kvm libvirt qemu subject /usr/sbin/libvirtd o / h /dev h /dev/net/tun rw /dev/null rw /dev/urandom r /etc h /etc/group r /etc/libvirt r /etc/passwd r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /run h /run/libvirt wd /sbin h /sbin/xtables-multi x /sys h /sys/devices/system/cpu/online r /usr h /usr/bin /usr/bin/qemu-system-x86_64 x /usr/sbin /usr/sbin/libvirtd rx /var/cache/libvirt rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_NET_ADMIN +CAP_NET_RAW + +CAP_SETUID +CAP_SETGID +CAP_DAC_OVERRIDE bind disabled connect disabled sock_allow_family unix inet netlink packet # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /root /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/logrotate rx /var h /var/lib rwcd /var/log rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_09-l 2017-02-11 15:50:22.619640331 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_10-l 2017-02-11 16:15:47.772644903 +0100 @@ -3695,70 +3695,72 @@ connect disabled sock_allow_family unix inet # Role: root subject /usr/sbin/gpm o / h /dev/input/mice rw /dev h /dev/tty* rw -CAP_ALL +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root user_transition_allow root qemu group_transition_allow root kvm libvirt qemu subject /usr/sbin/libvirtd o / h /dev h /dev/net/tun rw /dev/null rw /dev/urandom r /etc h /etc/group r /etc/libvirt r /etc/passwd r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h + /proc/sys/kernel r +# /proc/sys/kernel/cap_last_cap r /run h /run/libvirt wd /sbin h /sbin/xtables-multi x /sys h /sys/devices/system/cpu/online r /usr h /usr/bin /usr/bin/qemu-system-x86_64 x /usr/sbin /usr/sbin/libvirtd rx /var/cache/libvirt rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_NET_ADMIN +CAP_NET_RAW +CAP_SETUID +CAP_SETGID +CAP_DAC_OVERRIDE bind disabled connect disabled sock_allow_family unix inet netlink packet # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_10-l 2017-02-11 16:15:47.772644903 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_11-l 2017-02-11 16:37:39.156648834 +0100 @@ -3686,71 +3686,71 @@ /var h /var/spool/cron rwd -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_SETGID +CAP_SETUID +CAP_SYS_ADMIN bind disabled connect disabled sock_allow_family unix inet # Role: root subject /usr/sbin/gpm o / h /dev/input/mice rw /dev h /dev/tty* rw -CAP_ALL +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root user_transition_allow root qemu group_transition_allow root kvm libvirt qemu subject /usr/sbin/libvirtd o / h /dev h /dev/net/tun rw /dev/null rw /dev/urandom r /etc h /etc/group r - /etc/libvirt r + /etc/libvirt rwcdl /etc/passwd r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /proc/sys/kernel r # /proc/sys/kernel/cap_last_cap r /run h /run/libvirt wd /sbin h /sbin/xtables-multi x /sys h /sys/devices/system/cpu/online r /usr h /usr/bin /usr/bin/qemu-system-x86_64 x /usr/sbin /usr/sbin/libvirtd rx /var/cache/libvirt rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_NET_ADMIN +CAP_NET_RAW +CAP_SETUID +CAP_SETGID +CAP_DAC_OVERRIDE bind disabled connect disabled sock_allow_family unix inet netlink packet # Role: root -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_11-l 2017-02-11 16:37:39.156648834 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_12-l 2017-02-11 18:19:35.056667169 +0100 @@ -3699,74 +3699,76 @@ subject /usr/sbin/gpm o / h /dev/input/mice rw /dev h /dev/tty* rw -CAP_ALL +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root user_transition_allow root qemu group_transition_allow root kvm libvirt qemu subject /usr/sbin/libvirtd o / h /dev h /dev/net/tun rw /dev/null rw /dev/urandom r /etc h /etc/group r /etc/libvirt rwcdl /etc/passwd r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /proc/sys/kernel r # /proc/sys/kernel/cap_last_cap r /run h /run/libvirt wd + /run/xtables.lock wcd /sbin h /sbin/xtables-multi x /sys h /sys/devices/system/cpu/online r + /sys/devices/virtual/net/virbr1 r /usr h /usr/bin /usr/bin/qemu-system-x86_64 x /usr/sbin /usr/sbin/libvirtd rx /var/cache/libvirt rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_NET_ADMIN +CAP_NET_RAW +CAP_SETUID +CAP_SETGID +CAP_DAC_OVERRIDE bind disabled connect disabled sock_allow_family unix inet netlink packet # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_12-l 2017-02-11 18:19:35.056667169 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_13-l 2017-02-11 19:02:20.433674860 +0100 @@ -3681,70 +3681,71 @@ /root r /tmp rwcd /usr/sbin/crond rx /usr h /usr/sbin/sendmail x /var h /var/spool/cron rwd -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_SETGID +CAP_SETUID +CAP_SYS_ADMIN bind disabled connect disabled sock_allow_family unix inet # Role: root subject /usr/sbin/gpm o / h /dev/input/mice rw /dev h /dev/tty* rw -CAP_ALL +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root user_transition_allow root qemu group_transition_allow root kvm libvirt qemu subject /usr/sbin/libvirtd o / h /dev h + /dev/kvm rw /dev/net/tun rw /dev/null rw /dev/urandom r /etc h /etc/group r /etc/libvirt rwcdl /etc/passwd r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /proc/sys/kernel r # /proc/sys/kernel/cap_last_cap r /run h /run/libvirt wd /run/xtables.lock wcd /sbin h /sbin/xtables-multi x /sys h /sys/devices/system/cpu/online r /sys/devices/virtual/net/virbr1 r /usr h /usr/bin /usr/bin/qemu-system-x86_64 x /usr/sbin /usr/sbin/libvirtd rx /var/cache/libvirt rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_NET_ADMIN +CAP_NET_RAW -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_13-l 2017-02-11 19:02:20.433674860 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_14-l 2017-02-11 19:22:36.411678505 +0100 @@ -3722,71 +3722,71 @@ /etc/libvirt rwcdl /etc/passwd r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /proc/sys/kernel r # /proc/sys/kernel/cap_last_cap r /run h /run/libvirt wd /run/xtables.lock wcd /sbin h /sbin/xtables-multi x /sys h /sys/devices/system/cpu/online r /sys/devices/virtual/net/virbr1 r /usr h /usr/bin /usr/bin/qemu-system-x86_64 x /usr/sbin /usr/sbin/libvirtd rx /var/cache/libvirt rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_NET_ADMIN +CAP_NET_RAW +CAP_SETUID +CAP_SETGID +CAP_DAC_OVERRIDE bind disabled connect disabled - sock_allow_family unix inet netlink packet + sock_allow_family unix inet ipv6 netlink packet # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /root /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/logrotate rx /var h /var/lib rwcd /var/log rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID bind disabled connect disabled sock_allow_family unix inet ## Role: root -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_14-l 2017-02-11 19:22:36.411678505 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_15-l 2017-02-11 19:40:40.707681756 +0100 @@ -3722,71 +3722,71 @@ /etc/libvirt rwcdl /etc/passwd r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /proc/sys/kernel r # /proc/sys/kernel/cap_last_cap r /run h /run/libvirt wd /run/xtables.lock wcd /sbin h /sbin/xtables-multi x /sys h /sys/devices/system/cpu/online r /sys/devices/virtual/net/virbr1 r /usr h /usr/bin /usr/bin/qemu-system-x86_64 x /usr/sbin /usr/sbin/libvirtd rx /var/cache/libvirt rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_NET_ADMIN +CAP_NET_RAW +CAP_SETUID +CAP_SETGID +CAP_DAC_OVERRIDE bind disabled connect disabled - sock_allow_family unix inet ipv6 netlink packet + sock_allow_family all # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /root /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/logrotate rx /var h /var/lib rwcd /var/log rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID bind disabled connect disabled sock_allow_family unix inet ## Role: root -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_15-l 2017-02-11 19:40:40.707681756 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170211_g0n_16-l 2017-02-11 19:48:40.761683195 +0100 @@ -1853,70 +1853,71 @@ /etc/localtime r /etc/nsswitch.conf r /lib64 rx /lib64/modules h /run rw /sbin h /sbin/agetty x /usr h /usr/lib64/locale/locale-archive r /usr/share/locale r /var h /var/log/wtmp w -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_FSETID +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root subject /sbin/init o / h /bin /bin/login x /dev h /dev/console rw /dev/initctl rw /dev/log rw /run h /run/utmp rw /sbin h /sbin/agetty x /usr/sbin/conntrackd r + /usr/sbin/libvirtd r /var h /var/log/wtmp w /var/lib/dhcpcd w -CAP_ALL bind disabled connect disabled # Role: root subject /sbin/installkernel o / h /bin x /boot wc /dev h /dev/tty rw /etc h /etc/ld.so.cache r /lib64 rx /lib64/modules h /proc h /proc/meminfo r /sbin h /sbin/installkernel r /usr h /usr/lib64/gconv/gconv-modules.cache r /usr/lib64/locale/locale-archive r # /usr/src/linux-3.18.5-hardened-r1 -CAP_ALL bind disabled connect disabled # Role: root subject /sbin/macchanger o / h /dev h /dev/hwrng r -------------------- --- /mnt/H0214_g0n-r/root/grsec_170211_g0n_16-l 2017-02-11 19:48:40.761683195 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170212_g0n_00-l 2017-02-12 00:54:57.313738285 +0100 @@ -1853,71 +1853,70 @@ /etc/localtime r /etc/nsswitch.conf r /lib64 rx /lib64/modules h /run rw /sbin h /sbin/agetty x /usr h /usr/lib64/locale/locale-archive r /usr/share/locale r /var h /var/log/wtmp w -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_FSETID +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root subject /sbin/init o / h /bin /bin/login x /dev h /dev/console rw /dev/initctl rw /dev/log rw /run h /run/utmp rw /sbin h /sbin/agetty x /usr/sbin/conntrackd r - /usr/sbin/libvirtd r /var h /var/log/wtmp w /var/lib/dhcpcd w -CAP_ALL bind disabled connect disabled # Role: root subject /sbin/installkernel o / h /bin x /boot wc /dev h /dev/tty rw /etc h /etc/ld.so.cache r /lib64 rx /lib64/modules h /proc h /proc/meminfo r /sbin h /sbin/installkernel r /usr h /usr/lib64/gconv/gconv-modules.cache r /usr/lib64/locale/locale-archive r # /usr/src/linux-3.18.5-hardened-r1 -CAP_ALL bind disabled connect disabled # Role: root subject /sbin/macchanger o / h /dev h /dev/hwrng r @@ -7746,76 +7745,78 @@ /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/openssl.cnf r /home h /home/miro rwcd /lib/modules h /lib64 rx /lib64/modules h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /run h /run/libvirt rw /sys h /usr h /usr/bin h /usr/bin/virsh rx /usr/lib64 rx /usr/sbin h /usr/sbin/libvirtd x /usr/share h /usr/share/locale r /usr/share/terminfo r /var/log h -CAP_ALL bind disabled connect disabled sock_allow_family unix inet ipv6 -## Role: miro -#subject /usr/bin/virt-install ol -# / h -# -CAP_ALL -# bind disabled -# connect disabled +# Role: miro +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu +subject /usr/bin/virt-install ol + / h + -CAP_ALL + bind disabled + connect disabled # Role: miro subject /usr/bin/wget o / h /Cmn rwc /Cmn/dLo rwcdl /dev h /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/certs/ca-certificates.crt r /home /home/miro rwc /lib64 rx /lib64/modules h /mnt wc /proc /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /tmp rwcd /usr h /usr/bin h /usr/bin/wget rx /usr/lib64 rx -------------------- --- /mnt/H0214_g0n-r/root/grsec_170212_g0n_00-l 2017-02-12 00:54:57.313738285 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170212_g0n_01-l 2017-02-12 01:03:08.173739757 +0100 @@ -6991,70 +6991,71 @@ /lib64/modules h /proc /proc/bus h /proc/kallsyms h /proc/kcore h /proc/meminfo r /proc/modules h /proc/slabinfo h /proc/sys h /usr h /usr/bin h /usr/bin/openssl rx /usr/lib64 h /usr/lib64/libcrypto.so.1.* rx /usr/lib64/libssl.so.1.* rx /usr/share r -CAP_ALL bind 0.0.0.0/32:0 dgram ip # connect 192.168.3.0/24:443 stream tcp connect 0.0.0.0/0:443 stream tcp connect 0.0.0.0/0:993 stream tcp connect 0.0.0.0/0:995 stream tcp connect 192.168.1.1/32:53 dgram udp # Role: miro subject /usr/bin/python2.7 o / h /etc h /etc/ld.so.cache r /lib64 rx /lib64/modules h /usr /usr/bin /usr/bin/python2.7 rx /usr/lib64 rx + /usr/share/virt-manager/virt-install rx /usr/src h -CAP_ALL bind disabled connect disabled sock_allow_family unix inet # Role: miro subject /usr/bin/python3.4m o / h /Cmn h /Cmn/Kaff rwcd /bin h /bin/bash x /dev h /dev/null rw /dev/urandom r /etc h /etc/hosts r /etc/ld.so.cache r /etc/localtime r /etc/mime.types r /etc/resolv.conf /lib64 rx /lib64/modules h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /sbin h /sbin/ldconfig x /tmp rwcd /usr -------------------- --- /mnt/H0214_g0n-r/root/grsec_170212_g0n_01-l 2017-02-12 01:03:08.173739757 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170212_g0n_02-l 2017-02-12 01:06:38.684740388 +0100 @@ -6985,70 +6985,71 @@ /etc/ssh h /etc/ssl h /etc/ssl/openssl.cnf r /home h /home/miro rw /lib64 rx /lib64/modules h /proc /proc/bus h /proc/kallsyms h /proc/kcore h /proc/meminfo r /proc/modules h /proc/slabinfo h /proc/sys h /usr h /usr/bin h /usr/bin/openssl rx /usr/lib64 h /usr/lib64/libcrypto.so.1.* rx /usr/lib64/libssl.so.1.* rx /usr/share r -CAP_ALL bind 0.0.0.0/32:0 dgram ip # connect 192.168.3.0/24:443 stream tcp connect 0.0.0.0/0:443 stream tcp connect 0.0.0.0/0:993 stream tcp connect 0.0.0.0/0:995 stream tcp connect 192.168.1.1/32:53 dgram udp # Role: miro subject /usr/bin/python2.7 o / h /etc h /etc/ld.so.cache r + /etc/localtime r /lib64 rx /lib64/modules h /usr /usr/bin /usr/bin/python2.7 rx /usr/lib64 rx /usr/share/virt-manager/virt-install rx /usr/src h -CAP_ALL bind disabled connect disabled sock_allow_family unix inet # Role: miro subject /usr/bin/python3.4m o / h /Cmn h /Cmn/Kaff rwcd /bin h /bin/bash x /dev h /dev/null rw /dev/urandom r /etc h /etc/hosts r /etc/ld.so.cache r /etc/localtime r /etc/mime.types r /etc/resolv.conf /lib64 rx /lib64/modules h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h -------------------- --- /mnt/H0214_g0n-r/root/grsec_170212_g0n_02-l 2017-02-12 01:06:38.684740388 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170212_g0n_03-l 2017-02-12 01:09:54.846740976 +0100 @@ -6981,87 +6981,75 @@ /etc/gshadow- h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/openssl.cnf r /home h /home/miro rw /lib64 rx /lib64/modules h /proc /proc/bus h /proc/kallsyms h /proc/kcore h /proc/meminfo r /proc/modules h /proc/slabinfo h /proc/sys h /usr h /usr/bin h /usr/bin/openssl rx /usr/lib64 h /usr/lib64/libcrypto.so.1.* rx /usr/lib64/libssl.so.1.* rx /usr/share r -CAP_ALL bind 0.0.0.0/32:0 dgram ip # connect 192.168.3.0/24:443 stream tcp connect 0.0.0.0/0:443 stream tcp connect 0.0.0.0/0:993 stream tcp connect 0.0.0.0/0:995 stream tcp connect 192.168.1.1/32:53 dgram udp # Role: miro -subject /usr/bin/python2.7 o +subject /usr/bin/python2.7 ol / h - /etc h - /etc/ld.so.cache r - /etc/localtime r - /lib64 rx - /lib64/modules h - /usr - /usr/bin - /usr/bin/python2.7 rx - /usr/lib64 rx - /usr/share/virt-manager/virt-install rx - /usr/src h -CAP_ALL bind disabled connect disabled - sock_allow_family unix inet # Role: miro subject /usr/bin/python3.4m o / h /Cmn h /Cmn/Kaff rwcd /bin h /bin/bash x /dev h /dev/null rw /dev/urandom r /etc h /etc/hosts r /etc/ld.so.cache r /etc/localtime r /etc/mime.types r /etc/resolv.conf /lib64 rx /lib64/modules h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /sbin h /sbin/ldconfig x /tmp rwcd /usr /usr/bin rx /usr/lib64 rx /usr/lib64/gconv h /usr/lib64/gconv/gconv-modules.cache r /usr/lib64/locale h -------------------- --- /mnt/H0214_g0n-r/root/grsec_170212_g0n_03-l 2017-02-12 01:09:54.846740976 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170212_g0n_04-l 2017-02-12 01:21:22.755743038 +0100 @@ -3720,70 +3720,71 @@ /etc h /etc/group r /etc/libvirt rwcdl /etc/passwd r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /proc/sys/kernel r # /proc/sys/kernel/cap_last_cap r /run h /run/libvirt wd /run/xtables.lock wcd /sbin h /sbin/xtables-multi x /sys h /sys/devices/system/cpu/online r /sys/devices/virtual/net/virbr1 r /usr h /usr/bin /usr/bin/qemu-system-x86_64 x /usr/sbin /usr/sbin/libvirtd rx /var/cache/libvirt rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_NET_ADMIN +CAP_NET_RAW +CAP_SETUID +CAP_SETGID +CAP_DAC_OVERRIDE + +PAX_MPROTECT bind disabled connect disabled sock_allow_family all # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /root /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/logrotate rx /var h /var/lib rwcd /var/log rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID bind disabled connect disabled -------------------- --- /mnt/H0214_g0n-r/root/grsec_170212_g0n_04-l 2017-02-12 01:21:22.755743038 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170212_g0n_06-l 2017-02-12 01:35:49.066745635 +0100 @@ -3678,116 +3678,75 @@ /etc/passwd r /proc h /proc/sys/kernel/ngroups_max r /root r /tmp rwcd /usr/sbin/crond rx /usr h /usr/sbin/sendmail x /var h /var/spool/cron rwd -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_SETGID +CAP_SETUID +CAP_SYS_ADMIN bind disabled connect disabled sock_allow_family unix inet # Role: root subject /usr/sbin/gpm o / h /dev/input/mice rw /dev h /dev/tty* rw -CAP_ALL +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root user_transition_allow root qemu group_transition_allow root kvm libvirt qemu -subject /usr/sbin/libvirtd o +subject /usr/sbin/libvirtd ol / h - /dev h - /dev/kvm rw - /dev/net/tun rw - /dev/null rw - /dev/urandom r - /etc h - /etc/group r - /etc/libvirt rwcdl - /etc/passwd r - /proc r - /proc/bus h - /proc/kallsyms h - /proc/kcore h - /proc/modules h - /proc/slabinfo h - /proc/sys h - /proc/sys/kernel r -# /proc/sys/kernel/cap_last_cap r - /run h - /run/libvirt wd - /run/xtables.lock wcd - /sbin h - /sbin/xtables-multi x - /sys h - /sys/devices/system/cpu/online r - /sys/devices/virtual/net/virbr1 r - /usr h - /usr/bin - /usr/bin/qemu-system-x86_64 x - /usr/sbin - /usr/sbin/libvirtd rx - /var/cache/libvirt rwcd -CAP_ALL - +CAP_DAC_READ_SEARCH - +CAP_KILL - +CAP_NET_ADMIN - +CAP_NET_RAW - +CAP_SETUID - +CAP_SETGID - +CAP_DAC_OVERRIDE - +PAX_MPROTECT bind disabled connect disabled - sock_allow_family all # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /root /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/logrotate rx /var h /var/lib rwcd /var/log rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID bind disabled connect disabled sock_allow_family unix inet ## Role: root -------------------- --- /mnt/H0214_g0n-r/root/grsec_170212_g0n_06-l 2017-02-12 01:35:49.066745635 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170212_g0n_07-l 2017-02-12 01:33:14.894745173 +0100 @@ -3676,72 +3676,72 @@ /etc/group r /etc/localtime r /etc/passwd r /proc h /proc/sys/kernel/ngroups_max r /root r /tmp rwcd /usr/sbin/crond rx /usr h /usr/sbin/sendmail x /var h /var/spool/cron rwd -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_SETGID +CAP_SETUID +CAP_SYS_ADMIN bind disabled connect disabled sock_allow_family unix inet # Role: root subject /usr/sbin/gpm o / h /dev/input/mice rw /dev h /dev/tty* rw -CAP_ALL +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root -user_transition_allow root qemu -group_transition_allow root kvm libvirt qemu +user_transition_allow root miro qemu +group_transition_allow root miro kvm libvirt qemu subject /usr/sbin/libvirtd ol / h -CAP_ALL bind disabled connect disabled # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /root /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/logrotate rx /var h /var/lib rwcd /var/log rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID -------------------- --- /mnt/H0214_g0n-r/root/grsec_170212_g0n_07-l 2017-02-12 01:33:14.894745173 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170212_g0n_08-l 2017-02-12 13:48:20.284877396 +0100 @@ -7651,113 +7651,75 @@ /etc/terminfo/r/rxvt-unicode r /etc/vim /etc/vim/vimrc r /etc/vim/vimrc.local r /home h /home/miro rwcd /lib64 rx /lib64/modules h /mnt r /mnt/sd?1 rwcd /mnt/g* rwxcd /proc h /proc/meminfo r /sys h /tmp rwcd /usr /usr/bin x /usr/lib64 rx /usr/local h /usr/local/bin rw /usr/share rwc /usr/share/locale r /usr/src h /var h /var/lib /var/lib/lurker rwcdl /var/tmp rwcd /var/www /var/www/localhost/htdocs rwcdl /var/www/lurker* rwcd -CAP_ALL bind disabled connect disabled # Role: miro -subject /usr/bin/virsh o +subject /usr/bin/virsh ol / h - /boot h - /dev h - /dev/null rw - /dev/urandom r - /etc r - /etc/grsec h - /etc/gshadow h - /etc/gshadow- h - /etc/shadow h - /etc/shadow- h - /etc/ssh h - /etc/ssl h - /etc/ssl/openssl.cnf r - /home h - /home/miro rwcd - /lib/modules h - /lib64 rx - /lib64/modules h - /proc r - /proc/bus h - /proc/kallsyms h - /proc/kcore h - /proc/modules h - /proc/slabinfo h - /run h - /run/libvirt rw - /sys h - /usr h - /usr/bin h - /usr/bin/virsh rx - /usr/lib64 rx - /usr/sbin h - /usr/sbin/libvirtd x - /usr/share h - /usr/share/locale r - /usr/share/terminfo r - /var/log h -CAP_ALL bind disabled connect disabled - sock_allow_family unix inet ipv6 # Role: miro user_transition_allow root qemu group_transition_allow root kvm libvirt qemu subject /usr/bin/virt-install ol / h -CAP_ALL bind disabled connect disabled # Role: miro subject /usr/bin/wget o / h /Cmn rwc /Cmn/dLo rwcdl /dev h /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/certs/ca-certificates.crt r /home /home/miro rwc /lib64 rx /lib64/modules h /mnt wc /proc /proc/bus h /proc/kallsyms h -------------------- --- /mnt/H0214_g0n-r/root/grsec_170212_g0n_08-l 2017-02-12 13:48:20.284877396 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170212_g0n_09-l 2017-02-12 13:52:17.777878108 +0100 @@ -7651,70 +7651,72 @@ /etc/terminfo/r/rxvt-unicode r /etc/vim /etc/vim/vimrc r /etc/vim/vimrc.local r /home h /home/miro rwcd /lib64 rx /lib64/modules h /mnt r /mnt/sd?1 rwcd /mnt/g* rwxcd /proc h /proc/meminfo r /sys h /tmp rwcd /usr /usr/bin x /usr/lib64 rx /usr/local h /usr/local/bin rw /usr/share rwc /usr/share/locale r /usr/src h /var h /var/lib /var/lib/lurker rwcdl /var/tmp rwcd /var/www /var/www/localhost/htdocs rwcdl /var/www/lurker* rwcd -CAP_ALL bind disabled connect disabled # Role: miro +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu subject /usr/bin/virsh ol / h -CAP_ALL bind disabled connect disabled # Role: miro user_transition_allow root qemu group_transition_allow root kvm libvirt qemu subject /usr/bin/virt-install ol / h -CAP_ALL bind disabled connect disabled # Role: miro subject /usr/bin/wget o / h /Cmn rwc /Cmn/dLo rwcdl /dev h /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/certs/ca-certificates.crt r /home /home/miro rwc /lib64 rx --------------------

by **timbgo** » Fri Feb 17, 2017 2:39 pm

And here I'll use the last one (after having reconsidered all the changes browsing through them; also: I have restored my system from clean backup, updated it in the Air-Gapped and cloned it), to start over learning virtualization policies...

Code: Select all: diff -u40 grsec_170215_g0n_00 /mnt/H0214_g0n-r/root/grsec_170212_g0n_08-l --- grsec_170215_g0n_00 2017-02-15 14:23:24.499819097 +0100 +++ /mnt/H0214_g0n-r/root/grsec_170212_g0n_08-l 2017-02-12 13:48:20.284877396 +0100 @@ -573,82 +573,82 @@ /etc/ld.so.cache r /lib64 h /lib64/ld-2.*.so x /lib64/libc-2.*.so rx /usr h /usr/lib64/locale/locale-archive r /usr/portage wd -CAP_ALL bind disabled connect disabled # Role: portage subject /usr/bin/wget o / h /dev h /dev/urandom r /etc h /etc/ld.so.cache r /etc/localtime r /etc/wgetrc r /lib64 rx /lib64/modules h /usr h /usr/bin h /usr/bin/wget x /usr/lib64 rx /usr/portage wc /var h /var/log/portage_logs /var/log/portage_logs/wget-fetch.log a -CAP_ALL bind disabled connect 192.168.2.0/24:80 stream tcp connect 192.168.3.0/24:80 stream tcp role root uG role_transitions admin shutdown role_allow_ip 192.168.2.0/24 role_allow_ip 192.168.3.0/24 role_allow_ip 0.0.0.0/32 -user_transition_allow apache miro tcpdump -group_transition_allow apache miro tcpdump +user_transition_allow apache miro tcpdump qemu +group_transition_allow apache miro tcpdump kvm libvirt qemu # Role: root subject / / h /Cmn r /Cmn/Kaff rwxcd /Cmn/MyVideos rwxcd /Cmn/dLo rwxcd /Cmn/gX* rwxcd /Cmn/m* rwxcd /bin rx /sbin rx /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null rw /dev/port h /dev/tty rw /dev/urandom r /etc rx /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /export h /export/data /export/home /home h /home/miro rx /lib64 rx /lib64/firmware h /lib64/firmware/radeon /lib64/modules h /mnt r /mnt r /mnt/g* rwxcd /opt @@ -1483,159 +1483,159 @@ /var/spool/cron wc -CAP_ALL +CAP_DAC_OVERRIDE bind disabled connect disabled sock_allow_family unix inet # Role: root subject /bin/umount o user_transition_allow root group_transition_allow root / h /bin h /bin/umount x /etc rwcd /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /run /sbin h /sbin/mount.nfs x /usr h /usr/lib64/locale/locale-archive r -CAP_ALL +CAP_SETGID +CAP_SETUID +CAP_SYS_ADMIN bind disabled connect disabled # Role: root subject /etc/cron.daily o user_transition_allow nobody portage root man clamav apache group_transition_allow nobody portage root man clamav apache - / r + / h /Cmn rwc /bin rxi /boot r /dev /dev/bsg /dev/disk /dev/dri /dev/kmem h /dev/log rw /dev/misc /dev/null rw /dev/pktcdvd /dev/tty rw /dev/urandom r /etc rxi /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /home /home/miro r /lib32 r /lib64 rxi /media /mnt r /opt /opt/icedtea-bin-* r /proc r /proc/bus h /proc/kcore h /root rwcd /run wcd /sbin rxi /sys rw /tmp rwcd /usr /usr/bin rxi /usr/etc r /usr/include r /usr/lib32 r /usr/lib64 rxi /usr/libexec rxi /usr/local r /usr/local/bin rwx /usr/portage r /usr/sbin rxi /usr/share r /usr/src r /usr/x86_64-pc-linux-gnu rxi /var /var/cache rwcd /var/db r /var/lib rwcd /var/log rwcd /var/nullmailer r /var/spool rwcd /var/tmp r /var/www r -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH +CAP_FOWNER +CAP_FSETID +CAP_KILL +CAP_SETGID +CAP_SETUID +CAP_IPC_LOCK +CAP_SYS_PTRACE bind 0.0.0.0/32:0 ip dgram stream tcp udp connect disabled sock_allow_family ipv6 netlink # Role: root subject /etc/cron.hourly o user_transition_allow nobody portage root man clamav apache group_transition_allow nobody portage root man clamav apache - / r + / h /Cmn rwc /bin rxi /boot r /dev /dev/bsg /dev/disk /dev/dri /dev/kmem h /dev/log rw /dev/misc /dev/null rw /dev/pktcdvd /dev/tty rw /dev/urandom r /etc rxi /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /home /home/miro r /lib32 r /lib64 rxi /media /mnt r /opt /opt/icedtea-bin-* r /proc r /proc/bus h /proc/kcore h /root rwcd /run wcd /sbin rxi /sys rw /tmp rwcd /usr /usr/bin rxi /usr/etc r /usr/include r /usr/lib32 r @@ -1847,87 +1847,85 @@ /dev/null rw /dev/tty? rw /etc h /etc/group r /etc/issue r /etc/ld.so.cache r /etc/localtime r /etc/nsswitch.conf r /lib64 rx /lib64/modules h /run rw /sbin h /sbin/agetty x /usr h /usr/lib64/locale/locale-archive r /usr/share/locale r /var h /var/log/wtmp w -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_FSETID +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root subject /sbin/init o / h /bin /bin/login x /dev h /dev/console rw /dev/initctl rw /dev/log rw /run h /run/utmp rw /sbin h /sbin/agetty x - /usr/bin/gpg-agent r /usr/sbin/conntrackd r /var h /var/log/wtmp w /var/lib/dhcpcd w -CAP_ALL - +CAP_MKNOD bind disabled connect disabled # Role: root subject /sbin/installkernel o / h /bin x /boot wc /dev h /dev/tty rw /etc h /etc/ld.so.cache r /lib64 rx /lib64/modules h /proc h /proc/meminfo r /sbin h /sbin/installkernel r /usr h /usr/lib64/gconv/gconv-modules.cache r /usr/lib64/locale/locale-archive r # /usr/src/linux-3.18.5-hardened-r1 -CAP_ALL bind disabled connect disabled # Role: root subject /sbin/macchanger o / h /dev h /dev/hwrng r /dev/random r /etc h /etc/ld.so.cache r /lib64 rx /lib64/modules h /sbin h /sbin/macchanger x -CAP_ALL +CAP_NET_ADMIN @@ -2206,81 +2204,81 @@ /etc/passwd h /etc/shadow h /etc/shadow- h /etc/ssh h /etc/udev /etc/udev/hwdb.bin r /etc/udev/rules.d r /lib rx /lib/modules r /lib64 rx /lib64/modules r /proc w /proc/bus h /proc/cmdline r /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /run r /run/udev rwcd /run/udev/rules.d /run/udev/rules.d/61-dev-root-link.rules r /sbin h /sbin/udevd rx /sys r /sys/devices rw /usr /usr/src h -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_NET_ADMIN +CAP_SYS_ADMIN bind disabled connect disabled sock_allow_family unix inet netlink # Role: root subject /usr/bin/clamscan o - / r + / h /Cmn r /bin r /boot /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/port h /etc r /etc/freshclam.conf r /etc/ld.so.cache r /export r /home /home/miro r /lib32 r /lib64 rx /lost+found /mnt r /opt /opt/icedtea-bin-* r /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /root r /run /sbin r /sys /tmp rwcd /usr r /usr/bin rx /usr/lib64 rx /usr/local/bin rw /var r /var/log/clamav rwcd -CAP_ALL @@ -3180,80 +3178,81 @@ /root rwcdml /sys h /tmp rwcdl /usr /usr/bin x /usr/bin/vim x /usr/lib64 rx /usr/local h /usr/local/bin rwcd /usr/portage rw /usr/share r /usr/src h /var /var/lib/portage /var/lib/portage/world rw /var/log rw -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH +CAP_FOWNER +CAP_FSETID bind disabled connect disabled # Role: root subject /usr/bin/virsh o / h /dev h /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/libvirt r /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/openssl.cnf r + /home/miro r /lib64 rx /lib64/modules h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /root rwcd /run h /run/libvirt rw /usr h /usr/bin h /usr/bin/virsh rx /usr/lib64 rx /usr/share h /usr/share/locale r /usr/share/terminfo r -CAP_ALL +CAP_DAC_OVERRIDE bind disabled connect disabled sock_allow_family unix inet ipv6 # Role: root subject /usr/bin/wget o / h /dev h /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/certs/ca-certificates.crt r @@ -3672,112 +3671,87 @@ /bin/bash x /dev/log rw /etc h /etc/cron.d /etc/cron.d/prune-cronstamps r /etc/group r /etc/localtime r /etc/passwd r /proc h /proc/sys/kernel/ngroups_max r /root r /tmp rwcd /usr/sbin/crond rx /usr h /usr/sbin/sendmail x /var h /var/spool/cron rwd -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_SETGID +CAP_SETUID +CAP_SYS_ADMIN bind disabled connect disabled sock_allow_family unix inet # Role: root subject /usr/sbin/gpm o / h /dev/input/mice rw /dev h /dev/tty* rw -CAP_ALL +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root -subject /usr/sbin/libvirtd o +user_transition_allow root miro qemu +group_transition_allow root miro kvm libvirt qemu +subject /usr/sbin/libvirtd ol / h - /dev h - /dev/net/tun rw - /dev/null rw - /etc h - /etc/group r - /etc/libvirt r - /etc/passwd r - /proc r - /proc/bus h - /proc/kallsyms h - /proc/kcore h - /proc/modules h - /proc/slabinfo h - /proc/sys h - /run h - /run/libvirt wd - /sbin h - /sbin/xtables-multi x - /sys h - /sys/devices/system/cpu/online r - /usr h - /usr/sbin/libvirtd rx -CAP_ALL - +CAP_DAC_READ_SEARCH - +CAP_KILL - +CAP_NET_ADMIN - +CAP_NET_RAW bind disabled connect disabled - sock_allow_family unix inet netlink packet # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /root /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/logrotate rx /var h /var/lib rwcd /var/log rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID bind disabled connect disabled sock_allow_family unix inet ## Role: root subject /usr/sbin/postconf o / h /etc h /etc/ld.so.cache r /etc/postfix/main.cf r @@ -3966,81 +3940,81 @@ /etc/ld.so.cache r /etc/terminfo /etc/terminfo/r/rxvt-unicode r /lib64 rx /lib64/modules h /proc r /proc/bus h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /proc/sys/fs/nr_open r /proc/sys/vm/dirty_writeback_centisecs r /sys rw /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/powertop rx /usr/share h /usr/share/locale r /usr/share/misc/pci.ids.gz r /usr/share/terminfo /var h /var/cache w /var/cache/powertop w /var/cache/powertop/saved_results.powertop r -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_NET_ADMIN +CAP_IPC_LOCK +CAP_SYS_RAWIO +CAP_SYS_PTRACE +CAP_SYS_ADMIN +CAP_SYS_RESOURCE bind 0.0.0.0/32:0 dgram ip connect disabled sock_allow_family netlink bluetooth # Role: root subject /usr/sbin/rkhunter o - / r + / h /bin x /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null rw /dev/port h /dev/tty rw /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/shadow- h /etc/ssh h /etc/ssh/ssh_config /home h /home/miro /lib64 rx /opt /proc h /proc/meminfo r /root /sbin /usr /usr/bin x /usr/lib64 h /usr/lib64/gconv/gconv-modules.cache r /usr/lib64/locale/locale-archive r /usr/lib64/rkhunter/scripts /usr/local h /usr/local/bin r /usr/local/sbin r /usr/sbin /usr/sbin/rkhunter r /usr/share h /usr/share/locale r /usr/src h /usr/x86_64-pc-linux-gnu h @@ -4282,102 +4256,100 @@ /sys h /sys/class h /sys/class/net /sys/devices h /sys/devices/pci0000:00 h /sys/devices/pci0000:00/0000:00:15.0/0000:05:00.0/net/eth0/ifindex /sys/devices/pci0000:00/0000:00:15.1/0000:06:00.0/net/eth1/ifindex /sys/devices/virtual h /sys/devices/virtual/net/dummy0/ifindex /sys/devices/virtual/net/lo/ifindex /sys/devices/virtual/net/sit0/ifindex /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/tcpdump rx -CAP_ALL +CAP_SETGID +CAP_SETUID +CAP_SETPCAP +CAP_NET_ADMIN +CAP_NET_RAW bind disabled connect disabled sock_allow_family unix inet netlink # Role: root subject /usr/sbin/tripwire o user_transition_allow root group_transition_allow root / /boot r /bin rx /dev /dev/grsec h /dev/kmem h /dev/log rw /dev/port h /etc r /home /home/miro rwcd - /lib rx /lib64 rx /opt /opt/icedtea-bin-* r /proc /proc/bus h /proc/kcore h /proc/slabinfo r /proc/sys h /root rwcd /sbin r /usr /usr/bin r /usr/etc r /usr/lib64 rx /usr/libexec r /usr/local r /usr/sbin rx /usr/share r /usr/src h /usr/x86_64-pc-linux-gnu r - /usr/arm-unknown-linux-gnueabi r /var /var/lib rwcd /var/spool h /var/spool/cron r /var/www r -CAP_ALL +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID bind disabled connect disabled # Role: root subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ar o / h /etc h /etc/ld.so.cache r /lib64 rx /lib64/modules h /usr h /usr/lib64 h /usr/lib64/binutils/x86_64-pc-linux-gnu/2.25.1/libbfd-2.25.1.so rx /usr/lib64/gconv/gconv-modules.cache r /usr/lib64/locale/locale-archive r /usr/src h /usr/x86_64-pc-linux-gnu h /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ar x -CAP_ALL bind disabled connect disabled # Role: root subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as o / h /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h @@ -4507,85 +4479,92 @@ -CAP_ALL bind disabled connect disabled # Role: clamav subject /usr/bin/freshclam o / h /etc h /etc/clamd.conf r /etc/gai.conf r /etc/hosts r /etc/localtime r /etc/resolv.conf r /run h /run/clamav/clamd.sock rw /var h /var/lib/clamav rwcd /var/log/clamav rwc -CAP_ALL bind 0.0.0.0/32:0 dgram ip connect 0.0.0.0/0:53 dgram udp connect 127.0.0.1/32:53 dgram udp connect 193.92.150.194/32:80 stream dgram tcp udp connect 195.222.33.229/32:80 stream dgram tcp udp connect 192.168.1.1/32:53 dgram udp sock_allow_family netlink # Role: clamav subject /usr/sbin/clamd o / h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /var/lib/clamav r /var/log/clamav /var/log/clamav/clamd.log a - /run/clamav rwcdl -CAP_ALL bind disabled connect disabled +role kvm gl +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu + +role libvirt gl +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu + role mysql u #role_allow_ip 0.0.0.0/32 user_transition_allow root group_transition_allow root # Role: mysql subject / / h -CAP_ALL bind disabled connect disabled # Role: mysql subject /usr/sbin/mysqld o user_transition_allow root mysql nobody group_transition_allow root mysql nobody / h /sys/devices/system/cpu/online r /tmp rwcd /usr/sbin/mysqld rx /var/lib/mysql rwcd # /var/lib/mysql/performance_schema # /var/lib/mysql/performance_schema/db.opt r -CAP_ALL bind 127.0.0.1/32:3306 stream tcp connect disabled role postfix u role_allow_ip 0.0.0.0/32 user_transition_allow root group_transition_allow root # Role: postfix subject / / h /dev/urandom r /etc/localtime /var/spool/postfix rwcd -CAP_ALL +CAP_SETGID +CAP_SETUID bind 0.0.0.0/32:0 ip dgram stream tcp udp @@ -4612,80 +4591,84 @@ /home /home/miro /home/miro/Maildir rwcdl /lib64 rx /lib64/modules h /proc h /proc/sys/kernel/ngroups_max r /root /root/Maildir rwcdl /sys h /sys/devices/system/cpu/online r /usr h /usr/lib64 rx /usr/libexec x /var h /var/lib/postfix rwcd /var/spool/postfix rwcdl /var/tmp -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_SETGID +CAP_SETUID bind 0.0.0.0/32:0 ip dgram stream tcp udp connect 127.0.0.1/32 ip dgram stream tcp udp connect 192.168.1.1/32:53 dgram udp connect 195.29.150.0/24 ip dgram stream tcp udp connect 178.218.165.68/32 ip dgram stream tcp udp sock_allow_family all # Role: postfix subject /usr/sbin/postsuper o user_transition_allow root group_transition_allow root / h /var/spool/postfix wd -CAP_ALL bind disabled connect disabled +role qemu ul +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu + role tcpdump u subject / o / h -CAP_ALL bind disabled connect disabled # Role: tcpdump subject /usr/sbin/tcpdump o user_transition_allow miro root nobody tcpdump group_transition_allow miro root nobody tcpdump / h /Cmn rwc /etc h /etc/host.conf r /etc/hosts r /etc/ld.so.cache r /etc/resolv.conf r /lib64 h /lib64/libnss_dns-2.23.so rx /lib64/libresolv-2.23.so rx /lib64/libresolv.so.2 rx /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /usr h /usr/sbin/tcpdump rx -CAP_ALL +CAP_DAC_OVERRIDE bind 0.0.0.0/32:0 dgram ip connect 127.0.0.1/32:53 dgram udp role miro u role_allow_ip 0.0.0.0/32 # Role: miro subject / @@ -6953,95 +6936,85 @@ /dev h /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/openssl.cnf r /home h /home/miro rw /lib64 rx /lib64/modules h /proc /proc/bus h /proc/kallsyms h /proc/kcore h /proc/meminfo r /proc/modules h /proc/slabinfo h /proc/sys h /usr h /usr/bin h /usr/bin/openssl rx /usr/lib64 h /usr/lib64/libcrypto.so.1.* rx /usr/lib64/libssl.so.1.* rx /usr/share r -CAP_ALL bind 0.0.0.0/32:0 dgram ip # connect 192.168.3.0/24:443 stream tcp connect 0.0.0.0/0:443 stream tcp connect 0.0.0.0/0:993 stream tcp connect 0.0.0.0/0:995 stream tcp connect 192.168.1.1/32:53 dgram udp # Role: miro -subject /usr/bin/python2.7 o +subject /usr/bin/python2.7 ol / h - /etc h - /etc/ld.so.cache r - /lib64 rx - /lib64/modules h - /usr - /usr/bin - /usr/bin/python2.7 rx - /usr/lib64 rx - /usr/src h -CAP_ALL bind disabled connect disabled - sock_allow_family unix inet # Role: miro subject /usr/bin/python3.4m o / h /Cmn h /Cmn/Kaff rwcd /bin h /bin/bash x /dev h /dev/null rw /dev/urandom r /etc h /etc/hosts r /etc/ld.so.cache r /etc/localtime r /etc/mime.types r /etc/resolv.conf /lib64 rx /lib64/modules h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /sbin h /sbin/ldconfig x /tmp rwcd /usr /usr/bin rx /usr/lib64 rx /usr/lib64/gconv h /usr/lib64/gconv/gconv-modules.cache r /usr/lib64/locale h /usr/lib64/locale/locale-archive r /usr/lib64/python3.4 r /usr/lib64/python3.4/collections h /usr/lib64/python3.4/collections/__init__.py /usr/lib64/python3.4/collections/__pycache__/__init__.cpython-34.pyc r @@ -7673,130 +7646,94 @@ /etc/shadow h /etc/shadow- h /etc/ssh h /etc/terminfo /etc/terminfo/l/linux r /etc/terminfo/r/rxvt-unicode r /etc/vim /etc/vim/vimrc r /etc/vim/vimrc.local r /home h /home/miro rwcd /lib64 rx /lib64/modules h /mnt r /mnt/sd?1 rwcd /mnt/g* rwxcd /proc h /proc/meminfo r /sys h /tmp rwcd /usr /usr/bin x /usr/lib64 rx /usr/local h /usr/local/bin rw /usr/share rwc /usr/share/locale r /usr/src h /var h /var/lib /var/lib/lurker rwcdl /var/tmp rwcd /var/www /var/www/localhost/htdocs rwcdl /var/www/lurker* rwcd -CAP_ALL bind disabled connect disabled # Role: miro -subject /usr/bin/virsh o +subject /usr/bin/virsh ol / h - /boot h - /dev h - /dev/null rw - /dev/urandom r - /etc r - /etc/grsec h - /etc/gshadow h - /etc/gshadow- h - /etc/shadow h - /etc/shadow- h - /etc/ssh h - /etc/ssl h - /etc/ssl/openssl.cnf r - /home h - /home/miro rwcd - /lib/modules h - /lib64 rx - /lib64/modules h - /proc r - /proc/bus h - /proc/kallsyms h - /proc/kcore h - /proc/modules h - /proc/slabinfo h - /run h - /run/libvirt rw - /sys h - /usr h - /usr/bin h - /usr/bin/virsh rx - /usr/lib64 rx - /usr/sbin h - /usr/sbin/libvirtd x - /usr/share h - /usr/share/locale r - /usr/share/terminfo r - /var/log h -CAP_ALL bind disabled connect disabled - sock_allow_family unix inet ipv6 -## Role: miro -#subject /usr/bin/virt-install ol -# / h -# -CAP_ALL -# bind disabled -# connect disabled +# Role: miro +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu +subject /usr/bin/virt-install ol + / h + -CAP_ALL + bind disabled + connect disabled # Role: miro subject /usr/bin/wget o / h /Cmn rwc /Cmn/dLo rwcdl /dev h /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/certs/ca-certificates.crt r /home /home/miro rwc /lib64 rx /lib64/modules h /mnt wc /proc /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /tmp rwcd /usr h /usr/bin h /usr/bin/wget rx /usr/lib64 rx /usr/share h /usr/share/locale r /var/www/localhost/htdocs rwcdl -CAP_ALL bind 0.0.0.0/32:0 dgram ip --------------------

Actually I'll now just:

Code: Select all: cp -iav grsec_170215_g0n_00 grsec_170215_g0n_01 vimdiff /mnt/H0214_g0n-r/root/grsec_170212_g0n_08-l grsec_170215_g0n_01

But I will give you now:

Code: Select all: diff -u40 grsec_170215_g0n_00 grsec_170215_g0n_01 --- grsec_170215_g0n_00 2017-02-15 14:23:24.499819097 +0100 +++ grsec_170215_g0n_01 2017-02-15 19:07:58.981230610 +0100 @@ -573,82 +573,82 @@ /etc/ld.so.cache r /lib64 h /lib64/ld-2.*.so x /lib64/libc-2.*.so rx /usr h /usr/lib64/locale/locale-archive r /usr/portage wd -CAP_ALL bind disabled connect disabled # Role: portage subject /usr/bin/wget o / h /dev h /dev/urandom r /etc h /etc/ld.so.cache r /etc/localtime r /etc/wgetrc r /lib64 rx /lib64/modules h /usr h /usr/bin h /usr/bin/wget x /usr/lib64 rx /usr/portage wc /var h /var/log/portage_logs /var/log/portage_logs/wget-fetch.log a -CAP_ALL bind disabled connect 192.168.2.0/24:80 stream tcp connect 192.168.3.0/24:80 stream tcp role root uG role_transitions admin shutdown role_allow_ip 192.168.2.0/24 role_allow_ip 192.168.3.0/24 role_allow_ip 0.0.0.0/32 -user_transition_allow apache miro tcpdump -group_transition_allow apache miro tcpdump +user_transition_allow apache miro tcpdump qemu +group_transition_allow apache miro tcpdump kvm libvirt qemu # Role: root subject / / h /Cmn r /Cmn/Kaff rwxcd /Cmn/MyVideos rwxcd /Cmn/dLo rwxcd /Cmn/gX* rwxcd /Cmn/m* rwxcd /bin rx /sbin rx /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null rw /dev/port h /dev/tty rw /dev/urandom r /etc rx /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /export h /export/data /export/home /home h /home/miro rx /lib64 rx /lib64/firmware h /lib64/firmware/radeon /lib64/modules h /mnt r /mnt r /mnt/g* rwxcd /opt @@ -3672,112 +3672,87 @@ /bin/bash x /dev/log rw /etc h /etc/cron.d /etc/cron.d/prune-cronstamps r /etc/group r /etc/localtime r /etc/passwd r /proc h /proc/sys/kernel/ngroups_max r /root r /tmp rwcd /usr/sbin/crond rx /usr h /usr/sbin/sendmail x /var h /var/spool/cron rwd -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_SETGID +CAP_SETUID +CAP_SYS_ADMIN bind disabled connect disabled sock_allow_family unix inet # Role: root subject /usr/sbin/gpm o / h /dev/input/mice rw /dev h /dev/tty* rw -CAP_ALL +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG bind disabled connect disabled # Role: root -subject /usr/sbin/libvirtd o +user_transition_allow root miro qemu +group_transition_allow root miro kvm libvirt qemu +subject /usr/sbin/libvirtd ol / h - /dev h - /dev/net/tun rw - /dev/null rw - /etc h - /etc/group r - /etc/libvirt r - /etc/passwd r - /proc r - /proc/bus h - /proc/kallsyms h - /proc/kcore h - /proc/modules h - /proc/slabinfo h - /proc/sys h - /run h - /run/libvirt wd - /sbin h - /sbin/xtables-multi x - /sys h - /sys/devices/system/cpu/online r - /usr h - /usr/sbin/libvirtd rx -CAP_ALL - +CAP_DAC_READ_SEARCH - +CAP_KILL - +CAP_NET_ADMIN - +CAP_NET_RAW bind disabled connect disabled - sock_allow_family unix inet netlink packet # Role: root subject /usr/sbin/logrotate o user_transition_allow nobody clamav root portage group_transition_allow nobody clamav root portage / h /bin h /bin/bash x /bin/gzip x /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /root /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/logrotate rx /var h /var/lib rwcd /var/log rwcd -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID bind disabled connect disabled sock_allow_family unix inet ## Role: root subject /usr/sbin/postconf o / h /etc h /etc/ld.so.cache r /etc/postfix/main.cf r @@ -4512,80 +4487,88 @@ subject /usr/bin/freshclam o / h /etc h /etc/clamd.conf r /etc/gai.conf r /etc/hosts r /etc/localtime r /etc/resolv.conf r /run h /run/clamav/clamd.sock rw /var h /var/lib/clamav rwcd /var/log/clamav rwc -CAP_ALL bind 0.0.0.0/32:0 dgram ip connect 0.0.0.0/0:53 dgram udp connect 127.0.0.1/32:53 dgram udp connect 193.92.150.194/32:80 stream dgram tcp udp connect 195.222.33.229/32:80 stream dgram tcp udp connect 192.168.1.1/32:53 dgram udp sock_allow_family netlink # Role: clamav subject /usr/sbin/clamd o / h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /var/lib/clamav r /var/log/clamav /var/log/clamav/clamd.log a /run/clamav rwcdl -CAP_ALL bind disabled connect disabled +role kvm gl +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu + +role libvirt gl +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu + role mysql u #role_allow_ip 0.0.0.0/32 user_transition_allow root group_transition_allow root # Role: mysql subject / / h -CAP_ALL bind disabled connect disabled # Role: mysql subject /usr/sbin/mysqld o user_transition_allow root mysql nobody group_transition_allow root mysql nobody / h /sys/devices/system/cpu/online r /tmp rwcd /usr/sbin/mysqld rx /var/lib/mysql rwcd # /var/lib/mysql/performance_schema # /var/lib/mysql/performance_schema/db.opt r -CAP_ALL bind 127.0.0.1/32:3306 stream tcp connect disabled role postfix u role_allow_ip 0.0.0.0/32 user_transition_allow root group_transition_allow root # Role: postfix subject / / h /dev/urandom r /etc/localtime /var/spool/postfix rwcd -CAP_ALL +CAP_SETGID +CAP_SETUID bind 0.0.0.0/32:0 ip dgram stream tcp udp @@ -4612,80 +4595,84 @@ /home /home/miro /home/miro/Maildir rwcdl /lib64 rx /lib64/modules h /proc h /proc/sys/kernel/ngroups_max r /root /root/Maildir rwcdl /sys h /sys/devices/system/cpu/online r /usr h /usr/lib64 rx /usr/libexec x /var h /var/lib/postfix rwcd /var/spool/postfix rwcdl /var/tmp -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_SETGID +CAP_SETUID bind 0.0.0.0/32:0 ip dgram stream tcp udp connect 127.0.0.1/32 ip dgram stream tcp udp connect 192.168.1.1/32:53 dgram udp connect 195.29.150.0/24 ip dgram stream tcp udp connect 178.218.165.68/32 ip dgram stream tcp udp sock_allow_family all # Role: postfix subject /usr/sbin/postsuper o user_transition_allow root group_transition_allow root / h /var/spool/postfix wd -CAP_ALL bind disabled connect disabled +role qemu ul +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu + role tcpdump u subject / o / h -CAP_ALL bind disabled connect disabled # Role: tcpdump subject /usr/sbin/tcpdump o user_transition_allow miro root nobody tcpdump group_transition_allow miro root nobody tcpdump / h /Cmn rwc /etc h /etc/host.conf r /etc/hosts r /etc/ld.so.cache r /etc/resolv.conf r /lib64 h /lib64/libnss_dns-2.23.so rx /lib64/libresolv-2.23.so rx /lib64/libresolv.so.2 rx /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /usr h /usr/sbin/tcpdump rx -CAP_ALL +CAP_DAC_OVERRIDE bind 0.0.0.0/32:0 dgram ip connect 127.0.0.1/32:53 dgram udp role miro u role_allow_ip 0.0.0.0/32 # Role: miro subject / @@ -6953,95 +6940,85 @@ /dev h /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/openssl.cnf r /home h /home/miro rw /lib64 rx /lib64/modules h /proc /proc/bus h /proc/kallsyms h /proc/kcore h /proc/meminfo r /proc/modules h /proc/slabinfo h /proc/sys h /usr h /usr/bin h /usr/bin/openssl rx /usr/lib64 h /usr/lib64/libcrypto.so.1.* rx /usr/lib64/libssl.so.1.* rx /usr/share r -CAP_ALL bind 0.0.0.0/32:0 dgram ip # connect 192.168.3.0/24:443 stream tcp connect 0.0.0.0/0:443 stream tcp connect 0.0.0.0/0:993 stream tcp connect 0.0.0.0/0:995 stream tcp connect 192.168.1.1/32:53 dgram udp # Role: miro -subject /usr/bin/python2.7 o +subject /usr/bin/python2.7 ol / h - /etc h - /etc/ld.so.cache r - /lib64 rx - /lib64/modules h - /usr - /usr/bin - /usr/bin/python2.7 rx - /usr/lib64 rx - /usr/src h -CAP_ALL bind disabled connect disabled - sock_allow_family unix inet # Role: miro subject /usr/bin/python3.4m o / h /Cmn h /Cmn/Kaff rwcd /bin h /bin/bash x /dev h /dev/null rw /dev/urandom r /etc h /etc/hosts r /etc/ld.so.cache r /etc/localtime r /etc/mime.types r /etc/resolv.conf /lib64 rx /lib64/modules h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /sbin h /sbin/ldconfig x /tmp rwcd /usr /usr/bin rx /usr/lib64 rx /usr/lib64/gconv h /usr/lib64/gconv/gconv-modules.cache r /usr/lib64/locale h /usr/lib64/locale/locale-archive r /usr/lib64/python3.4 r /usr/lib64/python3.4/collections h /usr/lib64/python3.4/collections/__init__.py /usr/lib64/python3.4/collections/__pycache__/__init__.cpython-34.pyc r @@ -7673,130 +7650,94 @@ /etc/shadow h /etc/shadow- h /etc/ssh h /etc/terminfo /etc/terminfo/l/linux r /etc/terminfo/r/rxvt-unicode r /etc/vim /etc/vim/vimrc r /etc/vim/vimrc.local r /home h /home/miro rwcd /lib64 rx /lib64/modules h /mnt r /mnt/sd?1 rwcd /mnt/g* rwxcd /proc h /proc/meminfo r /sys h /tmp rwcd /usr /usr/bin x /usr/lib64 rx /usr/local h /usr/local/bin rw /usr/share rwc /usr/share/locale r /usr/src h /var h /var/lib /var/lib/lurker rwcdl /var/tmp rwcd /var/www /var/www/localhost/htdocs rwcdl /var/www/lurker* rwcd -CAP_ALL bind disabled connect disabled # Role: miro -subject /usr/bin/virsh o +subject /usr/bin/virsh ol / h - /boot h - /dev h - /dev/null rw - /dev/urandom r - /etc r - /etc/grsec h - /etc/gshadow h - /etc/gshadow- h - /etc/shadow h - /etc/shadow- h - /etc/ssh h - /etc/ssl h - /etc/ssl/openssl.cnf r - /home h - /home/miro rwcd - /lib/modules h - /lib64 rx - /lib64/modules h - /proc r - /proc/bus h - /proc/kallsyms h - /proc/kcore h - /proc/modules h - /proc/slabinfo h - /run h - /run/libvirt rw - /sys h - /usr h - /usr/bin h - /usr/bin/virsh rx - /usr/lib64 rx - /usr/sbin h - /usr/sbin/libvirtd x - /usr/share h - /usr/share/locale r - /usr/share/terminfo r - /var/log h -CAP_ALL bind disabled connect disabled - sock_allow_family unix inet ipv6 -## Role: miro -#subject /usr/bin/virt-install ol -# / h -# -CAP_ALL -# bind disabled -# connect disabled +# Role: miro +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu +subject /usr/bin/virt-install ol + / h + -CAP_ALL + bind disabled + connect disabled # Role: miro subject /usr/bin/wget o / h /Cmn rwc /Cmn/dLo rwcdl /dev h /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/certs/ca-certificates.crt r /home /home/miro rwc /lib64 rx /lib64/modules h /mnt wc /proc /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /tmp rwcd /usr h /usr/bin h /usr/bin/wget rx /usr/lib64 rx /usr/share h /usr/share/locale r /var/www/localhost/htdocs rwcdl -CAP_ALL bind 0.0.0.0/32:0 dgram ip --------------------

Let's see if I made any mistake. (I'll show this procedure again here, so that even eventual newbie reading here don't get lost.)

In one piece:

Code: Select all: # diff grsec_170215_g0n_00 /etc/grsec/policy # cp -iav grsec_170215_g0n_01 /etc/grsec/policy cp: overwrite '/etc/grsec/policy'? y 'grsec_170215_g0n_01' -> '/etc/grsec/policy' # gradm -D Password: # grep ' ol' grsec_170215_g0n_01 subject /usr/sbin/libvirtd ol #subject /usr/bin/gpg-connect-agent ol #subject /usr/bin/gpgparsemail ol #subject /usr/bin/gpgscm ol #subject /usr/bin/gpgsm ol #subject /usr/bin/gpgtar ol #subject /usr/bin/gpgv2 ol subject /usr/bin/python2.7 ol subject /usr/bin/virsh ol subject /usr/bin/virt-install ol # > /etc/grsec/learning.logs # gradm -L /etc/grsec/learning.logs -E Warning: In role miro subject /usr/bin/gpg-agent, pathname "/home/miro/.gnupg/private-keys-v1.d": A writable and symlinked directory "/home/miro/.gnupg" points to "/the-usb-mount/.gnupg". Warning: write access is allowed to your subject for /home/miro/jpm/bin/jpm in role miro. Please ensure that the subject is running with less privilege than the default subject. # grep RBAC /proc/$$/status grep: /proc/3958/status: No such file or directory # gradm -a admin Password: #

And explained:

Code: Select all: # diff grsec_170215_g0n_00 /etc/grsec/policy #

That tells you I worked on a copy of /etc/grsec/policy.

And I will next update with that new version the real /etc/grsec/policy.

Code: Select all: # cp -iav grsec_170215_g0n_01 /etc/grsec/policy cp: overwrite '/etc/grsec/policy'? y 'grsec_170215_g0n_01' -> '/etc/grsec/policy' # gradm -D Password: # grep ' ol' grsec_170215_g0n_01 subject /usr/sbin/libvirtd ol #subject /usr/bin/gpg-connect-agent ol #subject /usr/bin/gpgparsemail ol #subject /usr/bin/gpgscm ol #subject /usr/bin/gpgsm ol #subject /usr/bin/gpgtar ol #subject /usr/bin/gpgv2 ol subject /usr/bin/python2.7 ol subject /usr/bin/virsh ol subject /usr/bin/virt-install ol #

That's not a lot of learning on subjects, because there are subjects from the GnuPG package that I haven't yet needed. Pls. see below about GnuPG.

But there are new groups and new user for learning:

Code: Select all: # grep ' [ug]l' grsec_170215_g0n_01 | grep role role kvm gl role libvirt gl role qemu ul #

Code: Select all: # > /etc/grsec/learning.logs #

I want to be learning from fresh tabula rasa learning logs ;-)

.

Code: Select all: # gradm -L /etc/grsec/learning.logs -E Warning: In role miro subject /usr/bin/gpg-agent, pathname "/home/miro/.gnupg/private-keys-v1.d": A writable and symlinked directory "/home/miro/.gnupg" points to "/the-usb-mount/.gnupg". Warning: write access is allowed to your subject for /home/miro/jpm/bin/jpm in role miro. Please ensure that the subject is running with less privilege than the default subject. #

These are matters that are unrelated to here, but while I can't any more post my complete /etc/grsec/policy, I am posting real diffs. For one part of the answers, about GnuPG programs, to see about them see:

GnuPG programs RBAC policies
viewtopic.php?f=5&t=4662
(and no time for the other part)

But the RBAC policies have been enabled, and the learning has started:

Code: Select all: # grep RBAC /proc/$$/status grep: /proc/3958/status: No such file or directory # gradm -a admin Password: #

Phew! Already a day spent for this preparation, based on past work. And the real work is yet ahead.

However, when preparing this I noticed that I probably need to set more learning yet.

And I will actually learn on subjects libvirtd for user miro, and re-learn virt-install and virsh user root. I also tried to fix some likely missing transitions for some subjects. See the diff:

Code: Select all: diff -u20 grsec_170215_g0n_01 grsec_170215_g0n_02 --- grsec_170215_g0n_01 2017-02-15 19:07:58.981230610 +0100 +++ grsec_170215_g0n_02 2017-02-15 19:47:10.223011867 +0100 @@ -3186,78 +3186,55 @@ /usr/lib64 rx /usr/local h /usr/local/bin rwcd /usr/portage rw /usr/share r /usr/src h /var /var/lib/portage /var/lib/portage/world rw /var/log rw -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH +CAP_FOWNER +CAP_FSETID bind disabled connect disabled # Role: root -subject /usr/bin/virsh o +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu +subject /usr/bin/virsh ol + / h + bind disabled + connect disabled + +# Role: root +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu +subject /usr/bin/virt-install ol / h - /dev h - /dev/urandom r - /etc r - /etc/grsec h - /etc/gshadow h - /etc/gshadow- h - /etc/libvirt r - /etc/shadow h - /etc/shadow- h - /etc/ssh h - /etc/ssl h - /etc/ssl/openssl.cnf r - /lib64 rx - /lib64/modules h - /proc r - /proc/bus h - /proc/kallsyms h - /proc/kcore h - /proc/modules h - /proc/slabinfo h - /proc/sys h - /root rwcd - /run h - /run/libvirt rw - /usr h - /usr/bin h - /usr/bin/virsh rx - /usr/lib64 rx - /usr/share h - /usr/share/locale r - /usr/share/terminfo r -CAP_ALL - +CAP_DAC_OVERRIDE bind disabled connect disabled - sock_allow_family unix inet ipv6 # Role: root subject /usr/bin/wget o / h /dev h /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/ssh h /etc/ssl h /etc/ssl/certs/ca-certificates.crt r /lib64 rx /lib64/modules h /mnt h /mnt/sde1/distfiles wc @@ -7670,40 +7647,42 @@ /usr /usr/bin x /usr/lib64 rx /usr/local h /usr/local/bin rw /usr/share rwc /usr/share/locale r /usr/src h /var h /var/lib /var/lib/lurker rwcdl /var/tmp rwcd /var/www /var/www/localhost/htdocs rwcdl /var/www/lurker* rwcd -CAP_ALL bind disabled connect disabled # Role: miro +user_transition_allow root qemu +group_transition_allow root kvm libvirt qemu subject /usr/bin/virsh ol / h -CAP_ALL bind disabled connect disabled # Role: miro user_transition_allow root qemu group_transition_allow root kvm libvirt qemu subject /usr/bin/virt-install ol / h -CAP_ALL bind disabled connect disabled # Role: miro subject /usr/bin/wget o / h /Cmn rwc /Cmn/dLo rwcdl @@ -8626,40 +8605,49 @@ /etc/ld.so.cache r /lib64 rx /lib64/modules h /usr h /usr/bin h /usr/bin/gawk x /usr/bin/tzap x /usr/lib64 h /usr/lib64/gconv/gconv-modules.cache r /usr/lib64/locale/locale-archive r /usr/local h /usr/local/bin/tzap-cat.sh rx /usr/share h /usr/share/locale r -CAP_ALL bind disabled connect disabled sock_allow_family unix inet # Role: miro +user_transition_allow root miro qemu +group_transition_allow root miro kvm libvirt qemu +subject /usr/sbin/libvirtd ol + / h + -CAP_ALL + bind disabled + connect disabled + +# Role: miro subject /usr/sbin/postdrop o / h /dev h /dev/log rw /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/postfix h /etc/postfix/main.cf r /etc/shadow h /etc/shadow- h /etc/ssh h /lib64 rx /lib64/modules h /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/postdrop x /usr/share h

I'll grep out the unlearned GnuPG subject this time:

Code: Select all: cat grsec_170215_g0n_02 | grep -v '^#su' | grep -B3 '\/.* ol' # Role: root user_transition_allow root qemu group_transition_allow root kvm libvirt qemu subject /usr/bin/virsh ol -- # Role: root user_transition_allow root qemu group_transition_allow root kvm libvirt qemu subject /usr/bin/virt-install ol -- # Role: root user_transition_allow root miro qemu group_transition_allow root miro kvm libvirt qemu subject /usr/sbin/libvirtd ol -- connect 192.168.1.1/32:53 dgram udp # Role: miro subject /usr/bin/python2.7 ol -- # Role: miro user_transition_allow root qemu group_transition_allow root kvm libvirt qemu subject /usr/bin/virsh ol -- # Role: miro user_transition_allow root qemu group_transition_allow root kvm libvirt qemu subject /usr/bin/virt-install ol -- # Role: miro user_transition_allow root miro qemu group_transition_allow root miro kvm libvirt qemu subject /usr/sbin/libvirtd ol

And finally:

Code: Select all: # cp -iav grsec_170215_g0n_02 /etc/grsec/policy cp: overwrite '/etc/grsec/policy'? y 'grsec_170215_g0n_02' -> '/etc/grsec/policy' # diff grsec_170215_g0n_02 /etc/grsec/policy # ls -l grsec_170215_g0n_02 /etc/grsec/policy -rw------- 1 root root 167158 2017-02-15 19:47 /etc/grsec/policy -rw------- 1 root root 167158 2017-02-15 19:47 grsec_170215_g0n_02 # gradm -L /etc/grsec/policy -E The operation you requested cannot be performed because the RBAC system is currently enabled. # gradm -D Password: # gradm -L /etc/grsec/policy -E Warning: In role miro subject /usr/bin/gpg-agent, pathname "/home/miro/.gnupg/private-keys-v1.d": A writable and symlinked directory "/home/miro/.gnupg" points to "/mnt/sdd1/.gnupg". Warning: write access is allowed to your subject for /home/miro/jpm/bin/jpm in role miro. Please ensure that the subject is running with less privilege than the default subject. #

Let me just say that I have previously done some VM running successfully, but not yet under RBAC policies, and that's too much od a risk...

And so this time I'm starting from kind of a clean install, not even have I enabled the libvirtd and libvirt-guest services! You'll see... And I'm doing so, because I want to get the learning done well this time. No more going online with VMs without RBAC set up.

This is the hardest exercise for me in creating RBAC policies, so far... Let's see if I make it.

And I'm not completely sure I set up all the learning right... I'll expain my doubts first in the next post...

EDIT 2017-04-02 12:09+02:00: It is important to notice one error that is repeated in some of the policies above, which is corrected only in later policies. E.g. from the diff it shows that I added:

Code: Select all: # Role: miro user_transition_allow root qemu group_transition_allow root kvm libvirt qemu subject /usr/bin/virt-install ol / h -CAP_ALL ...

But correct placement of transition rules is after the subject that they modify, e.g:

Code: Select all: # Role: miro subject /usr/bin/virt-install ol user_transition_allow root qemu group_transition_allow root kvm libvirt qemu / h -CAP_ALL ...

by **timbgo** » Fri Feb 17, 2017 2:45 pm

(I think I forgot to say: some of the procedures, or paths to programs or such, are Gentoo specific, but it should be similar in other GNU Linuces.)

Looking up these two README.gentoo.bz2:

Code: Select all: bzcat /usr/share/doc/qemu-2.8.0/README.gentoo.bz2

Code: Select all: If you don't have kvm compiled into the kernel, make sure you have the kernel module loaded before running kvm. ... Make sure your user is in the 'kvm' group Just run 'gpasswd -a <USER> kvm', then have <USER> re-login. For brand new installs, the default permissions on /dev/kvm might not let you access it. You can tell udev to reset ownership/perms: udevadm trigger -c add /dev/kvm

And:

Code: Select all: bzcat /usr/share/doc/libvirt-3.0.0/README.gentoo.bz2

Code: Select all: ... Use /etc/init.d/libvirt-guests to manage clients on restart/shutdown of the host. The default configuration will suspend and resume running kvm guests with 'managedsave'. This behavior can be changed under /etc/conf.d/libvirt-guests For systemd users: ... If you have built libvirt without policykit support (USE=-policykit), you must change the unix sock group and/or perms in /etc/libvirt/libvirtd.conf in order to allow normal users to connect to libvirtd. If libvirtd is built with USE=caps, libvirt will now start qemu/kvm VMs with non-root privileges. Ensure any resources your VMs use are accessible by qemu:qemu.

[Looking up these two README.gentoo.bz2] above, I still don't completely understand how to perform the right setup... (And I read those, and other instructions of course, over a few times.)

However, I did (and I believe I did it correctly) add the right users to the right groups, and I do have:

Code: Select all: # cat /etc/group | grep -E 'kvm|libvit|qemu' kvm:x:78:miro,qemu,root qemu:x:77:miro,root libvirt:x:1001:miro,qemu,root # cat /etc/passwd | grep -E 'kvm|libvit|qemu' qemu:x:77:77:added by portage for libvirt:/dev/null:/sbin/nologin #

And I probably would be able to rum VM with RBAC policy disabled. (Which I'm not interested in doing; grsec as available for free is slightly incomplete, but without grsec it is a very hollowy kernel... and so near total insecurity. At least for non-experts like me).

My main doubt is: to learn libvirtd for normal user (miro in my case) or not?

I decided to do run the learning for the normal user, because looking at how Whonix is deployed in Debian (mostly Debian is suggested there for using), at:

https://www.whonix.org/wiki/KVM

(
EDIT 2017-04-02 12:17+02:00: adding the correct link above
and my topic:
Whonix on Gentoo issues
https://forums.whonix.org/t/whonix-on-g ... ssues/3188
(find there my "political" view on grsecurity and Linus' team long standing... feud as well)
is not directly related to the conclusion below, needed for this post
)

I saw there's no mention of logging in as root to define and start Whonix-Gateway and Whonix-Workstation. So I concluded (I haven't run Debian in around two years, and I haven't had enough talent/time to actively switch to Devuan
(
https://www.devuan.org/
)
yet) it must be that by default a normal user can run libvirtd as well... (There is talk of sudo'ing as root, but not in the text concerning the running of the VM, IOW, basic operations go without becoming root.)

by **timbgo** » Fri Feb 17, 2017 3:01 pm

I just mentioned the two README.gentoo files in qemu and libvirt packages files, and how I haven't even deployed yet the "daemons" libvirtd and libvirt-guests. Deploying of those services ("daemons") is next.

But just to tell about my installation first.

And here's what tells to a Gentoo user how they are installed:

I got that output with running of this command:

Code: Select all: # for i in libvirt qemu spice virt-manager virt-viewer ; do echo emerge -pv $i: >> TMP ; echo "-------------------" >> TMP ; emerge -pv $i >> TMP ; echo "========================" >> TMP ; echo >> TMP ; done ; mv -iv TMP emerge-pv_libvirt_qemu_spice_virt-manager_virt-viewer.txt

Code: Select all: emerge -pv libvirt: ------------------- These are the packages that would be merged, in order: Calculating dependencies ... done! [ebuild R ] app-emulation/libvirt-3.0.0:0/3.0.0::gentoo USE="audit caps libvirtd macvtap nls qemu sasl vepa virt-network -apparmor -dbus -firewalld -fuse -glusterfs -iscsi -libssh -lvm -lxc -nfs -numa -openvz -parted -pcap -phyp -policykit -rbd (-selinux) -udev -uml -virtualbox -wireshark-plugins -xen -zeroconf -zfs" 0 KiB Total: 1 package (1 reinstall), Size of downloads: 0 KiB ======================== emerge -pv qemu: ------------------- These are the packages that would be merged, in order: Calculating dependencies . ... done! [ebuild R ] app-emulation/qemu-2.8.0::gentoo USE="aio alsa bzip2 caps curl fdt filecaps gnutls gtk gtk2 jpeg ncurses nls opengl pin-upstream-blobs png python sasl sdl seccomp spice threads vhost-net vnc xattr -accessibility -bluetooth -debug -glusterfs -infiniband -iscsi -lzo -nfs -numa -pulseaudio -rbd -sdl2 (-selinux) -smartcard -snappy -ssh -static -static-softmmu -static-user -systemtap -tci {-test} -usb -usbredir -vde -virgl -virtfs -vte -xen -xfs" LINGUAS="-bg -de_DE -fr_FR -hu -it -tr -zh_CN" PYTHON_TARGETS="python2_7" QEMU_SOFTMMU_TARGETS="arm i386 x86_64 -aarch64 -alpha -cris -lm32 -m68k -microblaze -microblazeel -mips -mips64 -mips64el -mipsel -moxie -or32 -ppc -ppc64 -ppcemb -s390x -sh4 -sh4eb -sparc -sparc64 -tricore -unicore32 -xtensa -xtensaeb" QEMU_USER_TARGETS="arm i386 x86_64 -aarch64 -alpha -armeb -cris -m68k -microblaze -microblazeel -mips -mips64 -mips64el -mipsel -mipsn32 -mipsn32el -or32 -ppc -ppc64 -ppc64abi32 -ppc64le -s390x -sh4 -sh4eb -sparc -sparc32plus -sparc64 -tilegx" 0 KiB Total: 1 package (1 reinstall), Size of downloads: 0 KiB ======================== emerge -pv spice: ------------------- These are the packages that would be merged, in order: Calculating dependencies ... done! [ebuild R ] app-emulation/spice-0.13.3::gentoo USE="gstreamer sasl -libressl -lz4 -smartcard -static-libs" 0 KiB Total: 1 package (1 reinstall), Size of downloads: 0 KiB ======================== emerge -pv virt-manager: ------------------- These are the packages that would be merged, in order: Calculating dependencies .... done! [ebuild R ] app-emulation/virt-manager-1.4.0-r2::gentoo USE="sasl -debug -gnome-keyring -gtk -policykit" LINGUAS="-as -bg -bn_IN -bs -ca -cmn -cs -da -de -en_GB -es -fi -fr -gu -hi -hr -hu -is -it -ja -kn -ko -ml -mr -ms -nb -nl -or -pa -pl -pt -pt_BR -ro -ru -sk -sr -sr@latin -sv -ta -te -tr -uk -vi -zh_CN -zh_TW" PYTHON_TARGETS="python2_7" 0 KiB Total: 1 package (1 reinstall), Size of downloads: 0 KiB ======================== emerge -pv virt-viewer: ------------------- These are the packages that would be merged, in order: Calculating dependencies ... done! [ebuild R ] app-emulation/virt-viewer-3.1-r1::miro USE="sasl spice -debug -vnc" 0 KiB Total: 1 package (1 reinstall), Size of downloads: 0 KiB ========================

It's Gentoo specific, the details, but some of it is general. E.g. the version of the installed packages are these:

Code: Select all: libvirt-3.0.0 qemu-2.8.0 spice-0.13.3 virt-manager-1.4.0 virt-viewer-3.1

However, while the previous four all have "::gentoo" after the version, such as "libvirt-3.0.0:0/3.0.0::gentoo", the last one has:

Code: Select all: virt-viewer-3.1-r1::miro

because I modified that package. I didn't want to have to install dbus (D-bus, whatever you want to call that opaque package, brother of systemd). These packages have all already worked, as I mentioned earlier, but without RBAC policy deployed.

Details about non-dbus virt-manager and virt-viewer of my installation can be found:

GUI-less (non-dbus) virt-manager (to run Tails in Gentoo)
https://lists.gt.net/gentoo/user/321797

I am yet to re-evaluate my method explained there... Esp. because it was libvirt-2.5.0 back then, a previous version... and changes may have had their influence. But I'll use what I have for now.

And before I deploy the "daemons", the services, I will:

1) run:

Code: Select all: # find / -xdev -name '*' > FIND_$(date +%y%m%d_%H%M)_$(hostname)

before and after, to get the exact files that have been removed and added (esp. in the /etc) when libvirtd and libvirt-guests are deployed. The diff is what I'll give you here afterwards.

2) run:

Code: Select all: # tripwire -m c

before and after, to get exactly what files are, whether they removed or added or neither removed nor added, but which have changed ;-)

. Tripwire gets you much close look into system files. This is my third attempt at properly deploying libvirt, qemu, kvm and friends, and I already know there'll be interesting changes to be seen after deployment.

(
E.g. I know it's a mess to update libvirt configuration files, upon updating the libvirt package, at least for a non-expert like me. But that's why I have backups. Thanks to my careful updating and backing things up I haven't needed to reinstall my Gentoo in some, four years, I think.
)

Third attempt this one, so I'm able to look up my notes and see that nearly every file in the /etc/libvirt/ will change.

This time I'll back up the entire /etc dir, so I'll also be able to see the exact changes:

Code: Select all: # tar cf etc_$(date +%y%m%d_%H%M)_$(hostname).tar /etc

Again, before and after the starting of the services.

Ouch! I forgot to check the iptables setup... (But I can mend to that forgetfullness, I got the master in which I haven't yet started any services, and this, where I test first, is a clone --same model hardware, dd-cloned to the bit-- ...)

Anyway, I just ran:

Code: Select all: # /etc/init.d/libvirtd start * Starting virtlogd ... [ ok ] * Starting libvirtd ... [ ok ] #

These are the reports that I have (since I dd-cloned my Air-Gapped master into this machine:

Code: Select all: # ls -l /var/lib/tripwire/report/ total 624 -rw-r--r-- 1 root root 78374 2017-02-14 14:11 g0n-20170214-140811.twr -rw-r--r-- 1 root root 235670 2017-02-15 03:19 g0n-20170215-031533.twr -rw-r--r-- 1 root root 236582 2017-02-15 22:47 g0n-20170215-224431.twr -rw-r--r-- 1 root root 78678 2017-02-15 23:53 g0n-20170215-235011.twr #

And one more has just been added:

Code: Select all: -rw-r--r-- 1 root root 80726 2017-02-16 00:00 g0n-20170215-235722.twr #

However, while I have run tw.update after g0n-20170215-224431.twr was done, I forgot to run it after g0n-20170215-235011.twr was done...

( Anyway, to not forget it before the next move, I'll run it now... )

So herein are the changes mainly from sole running of /etc/init.d/libvirtd above:

Code: Select all: Grsec_170215_Virt_4_tw.update.txt

which I'll post, abbreviated, here too:

Code: Select all: Open Source Tripwire(R) 2.4.3.2 Integrity Check Report Report generated by: root Report created on: Wed 15 Feb 2017 23:57:22 CET Database last updated on: Wed 15 Feb 2017 22:48:04 CET =============================================================================== Report Summary: =============================================================================== Host name: g0n Host IP address: 127.0.0.1 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/g0n.twd Command line used: tripwire -m c =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- * Configiguration Files 100 0 0 17 * Tripwire CFG and Data 100 1 0 0 System Auditing Programs 100 0 0 0 File Manipulation Programs 100 0 0 0 Cron, Inetd, and Logging 100 0 0 0 Security Related Programs 100 0 0 0 Boot, Kernel, and Init 100 0 0 0 Network - Setup/Services 100 0 0 0 Network - Filter/View 100 0 0 0 Filesystem Programs 100 0 0 0 Shell and Terminal Programs 100 0 0 0 Database Related Programs 100 0 0 0 MTA Related Programs 100 0 0 0 WWW Related Programs 100 0 0 0 Hardware and Device Programs 100 0 0 0 Package Manager Programs 100 0 0 0 Programming Languages/Tools 66 0 0 0 Toolchain Programs 100 0 0 0 Gentoo Specific Programs 100 0 0 0 [core|diff|find]utils procps 100 0 0 0 * System Boot Changes 100 3 0 1 Editor Programs 66 0 0 0 Compression/Archiving Programs 66 0 0 0 Log Files 66 0 0 0 OS Bin and Lib Directories 100 0 0 0 User Bin and Lib Directories 66 0 0 0 Temporary Directories 33 0 0 0 * Root User Directory 100 5 1 2 Critical Devices 100 0 0 0 Invariant Directories 66 0 0 0 Total objects scanned: 22718 Total violations found: 30 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Configiguration Files (/etc) Severity Level: 100 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] "/etc/libvirt/nwfilter/allow-arp.xml" [x] "/etc/libvirt/nwfilter/allow-dhcp-server.xml" [x] "/etc/libvirt/nwfilter/allow-dhcp.xml" [x] "/etc/libvirt/nwfilter/allow-incoming-ipv4.xml" [x] "/etc/libvirt/nwfilter/allow-ipv4.xml" [x] "/etc/libvirt/nwfilter/clean-traffic.xml" [x] "/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml" [x] "/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml" [x] "/etc/libvirt/nwfilter/no-arp-spoofing.xml" [x] "/etc/libvirt/nwfilter/no-ip-multicast.xml" [x] "/etc/libvirt/nwfilter/no-ip-spoofing.xml" [x] "/etc/libvirt/nwfilter/no-mac-broadcast.xml" [x] "/etc/libvirt/nwfilter/no-mac-spoofing.xml" [x] "/etc/libvirt/nwfilter/no-other-l2-traffic.xml" [x] "/etc/libvirt/nwfilter/no-other-rarp-traffic.xml" [x] "/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml" [x] "/etc/libvirt/nwfilter/qemu-announce-self.xml" ------------------------------------------------------------------------------- Rule Name: Tripwire CFG and Data (/var/lib/tripwire/g0n.twd.bak) Severity Level: 100 ------------------------------------------------------------------------------- ... Added: [x] "/root/FIND_170215_2350_g0n.diff" [x] "/root/FIND_170215_2350_g0n" [x] "/root/etc_170215_2351_g0n.tar" [x] "/root/FIND_170215_2249_g0n.diff" [x] "/root/FIND_170215_2357_g0n" Removed: [x] "/root/FIND_170215_2238_g0n" Modified: [x] "/root/.vim/.netrwhist" ------------------------------------------------------------------------------- Rule Name: Root User Directory (/root/.viminfo) Severity Level: 100 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] "/root/.viminfo" ------------------------------------------------------------------------------- Rule Name: System Boot Changes (/run) Severity Level: 100 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/run/xtables.lock" [x] "/run/libvirtd.pid" [x] "/run/virtlogd.pid" Modified: [x] "/run/libvirt" =============================================================================== Object Detail: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Configiguration Files (/etc) Severity Level: 100 ------------------------------------------------------------------------------- ---------------------------------------- Modified Objects: 17 ---------------------------------------- Modified object name: /etc/libvirt/nwfilter/allow-arp.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355475 3417147 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 92 411 Blocks 8 8 * CRC32 Dj5gmU BXszlj * MD5 BIT5aHAQ3dq2Y+F7ynJ7n1 AGGWIxnXNPL6nAHsXeikSN Modified object name: /etc/libvirt/nwfilter/allow-dhcp-server.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355481 3417139 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 841 694 Blocks 8 8 * CRC32 CShnc0 Dw5RY4 * MD5 CU6dPWhvP+qNhH7tJsV3np Cw1d3WJGS6fH+clOPGKVLk Modified object name: /etc/libvirt/nwfilter/allow-dhcp.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355471 3417138 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 695 656 Blocks 8 8 * CRC32 DJO92g AYPSit * MD5 AbymvlDedF7SuoAT1ruKvm AF+cUdm8kZH19L9pn5tdEr Modified object name: /etc/libvirt/nwfilter/allow-incoming-ipv4.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355479 3417140 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 100 429 Blocks 8 8 * CRC32 DFx99h AzeMIl * MD5 BqfLgZRQ+BErqFVqJJ45uN Cf2UcjPXQb4a8N9SQhRV35 Modified object name: /etc/libvirt/nwfilter/allow-ipv4.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355477 3417136 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 94 414 Blocks 8 8 * CRC32 Ago7Lh BiOtj5 * MD5 BunJyHWYBUGcIwNpJHWZDg DSDSzBfu7Cex47aqi2xEk1 Modified object name: /etc/libvirt/nwfilter/clean-traffic.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355473 3417144 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 947 788 Blocks 8 8 * CRC32 CS6ar9 B/dRzM * MD5 CW7vzRlFmRBIKGCyMumGqV C0lqpjWw+3ZScyQWLdodc5 Modified object name: /etc/libvirt/nwfilter/no-arp-ip-spoofing.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355474 3417146 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 353 525 Blocks 8 8 * CRC32 BrHjLl BLwKcZ * MD5 BZGTQKBucJXx/hujTP15JB BWDyDVUGKfgWZ/Pl/DazWm Modified object name: /etc/libvirt/nwfilter/no-arp-mac-spoofing.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355476 3417135 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 284 530 Blocks 8 8 * CRC32 BS9r67 DvpsO5 * MD5 CrZzILuONyOTF1vbjxlLBc C9mXLVw8NTFS8DAT4mmo4n Modified object name: /etc/libvirt/nwfilter/no-arp-spoofing.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355472 3417141 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 142 436 Blocks 8 8 * CRC32 CLszMD Co+u3N * MD5 BlTKAKoS4lMiXc4LED3T8I AU2wkUdXQaQBIfhMfejNza Modified object name: /etc/libvirt/nwfilter/no-ip-multicast.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355468 3417150 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 290 475 Blocks 8 8 * CRC32 D9Q1y4 CK/g/L * MD5 DM5BhOPtxJM+i715kwRFqg Bs3pthWtzvjK+xqJbLXr4S Modified object name: /etc/libvirt/nwfilter/no-ip-spoofing.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355469 3417145 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 477 625 Blocks 8 8 * CRC32 B1uUlK CQLXHX * MD5 CJqyGEYSVHY1JMfYHyoKlx A5IeIRK6O9TPe/SbjGjOm9 Modified object name: /etc/libvirt/nwfilter/no-mac-broadcast.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355480 3417143 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 269 473 Blocks 8 8 * CRC32 AGIHs+ Asbr95 * MD5 Agi4ckDP5sCMZMylnbwycD BNlW2cJSjx2moTjjXHLpL4 Modified object name: /etc/libvirt/nwfilter/no-mac-spoofing.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355470 3417149 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 308 534 Blocks 8 8 * CRC32 AAGEU9 AU480P * MD5 BW3RivkGHtKlx/LZDkWWw0 A0rTepwU3ZTZk8kFLDqCff Modified object name: /etc/libvirt/nwfilter/no-other-l2-traffic.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355478 3417148 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 247 415 Blocks 8 8 * CRC32 DhSFuJ DznXEA * MD5 BAA2En01/dPkVh+9/M3lAf DF1Vv5OuFEQCqPnb8hPjNT Modified object name: /etc/libvirt/nwfilter/no-other-rarp-traffic.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355483 3417142 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 121 435 Blocks 8 8 * CRC32 As65Od BIjoz1 * MD5 BXJeJGa0EXlBWSomua2Shj CQ/GVxG67QxiIAyUNK5vqA Modified object name: /etc/libvirt/nwfilter/qemu-announce-self-rarp.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355482 3417134 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 584 842 Blocks 8 8 * CRC32 AUBZvu AtST4X * MD5 BgEC49Pp/VgPHNcTVNhRQK C/W6VZBqkcmX0V1dfgDIqq Modified object name: /etc/libvirt/nwfilter/qemu-announce-self.xml Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64512 64512 * Inode Number 3355467 3417137 * Mode -rw-r--r-- -rw------- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 432 545 Blocks 8 8 * CRC32 AGFXno DhzLNg * MD5 Aj7m/SB9DCQrKbELge53+/ DqomDQ6zY7Y0RNIVJjKhdf ------------------------------------------------------------------------------- ... ------------------------------------------------------------------------------- Rule Name: System Boot Changes (/run) Severity Level: 100 ------------------------------------------------------------------------------- ---------------------------------------- Added Objects: 3 ---------------------------------------- Added object name: /run/xtables.lock Property: Expected Observed ------------- ----------- ----------- * Object Type --- Regular File * Device Number --- 15 * Mode --- -rw------- * Num Links --- 1 * UID --- root (0) * GID --- root (0) Added object name: /run/libvirtd.pid Property: Expected Observed ------------- ----------- ----------- * Object Type --- Regular File * Device Number --- 15 * Mode --- -rw-r--r-- * Num Links --- 1 * UID --- root (0) * GID --- root (0) Added object name: /run/virtlogd.pid Property: Expected Observed ------------- ----------- ----------- * Object Type --- Regular File * Device Number --- 15 * Mode --- -rw-r--r-- * Num Links --- 1 * UID --- root (0) * GID --- root (0) ---------------------------------------- Modified Objects: 1 ---------------------------------------- Modified object name: /run/libvirt Property: Expected Observed ------------- ----------- ----------- Object Type Directory Directory Device Number 15 15 Mode drwxr-xr-x drwxr-xr-x * Num Links 3 7 UID root (0) root (0) GID root (0) root (0) =============================================================================== Error Report: =============================================================================== No Errors ...

But also it is important to compare what diff on find says:

Code: Select all: # diff FIND_170215_2350_g0n FIND_170216_0009_g0n > FIND_170216_0009_g0n.diff 71a72 > /root/FIND_170215_2357_g0n 233a235 > /root/FIND_170215_2350_g0n.diff 276d277 < /root/FIND_170215_2249_g0n 333a335 > /root/FIND_170216_0009_g0n 336a339 > /root/etc_170215_2351_g0n.tar 744871a744875 > /var/lib/tripwire/report/g0n-20170215-235011.twr 744873a744878 > /var/lib/tripwire/report/g0n-20170215-235722.twr 837289a837295 > /home/miro/.moonchild productions/pale moon/hs2d648w.default/bookmarkbackups/bookmarks-2017-02-16_1307_nYmEQWnAK3aCQwh61owPwQ==.jsonlz4 837292d837297 < /home/miro/.moonchild productions/pale moon/hs2d648w.default/bookmarkbackups/bookmarks-2017-02-15_1307_nYmEQWnAK3aCQwh61owPwQ==.jsonlz4

Not much at all! (Regarding Palemoon that I have switched to from Firefox, Palmoon is an honest browser, it's a saint in comparison to Firefox. I haven't seen anything behind users' back. I will tell if I do in the future!... I mean that's likely some normal activity by Palemoon there...)

And (before the mending of the iptables changes), the very important tar'ing of the etc:

Ah, old men can't keep up the tabs on things... I had done it just 3 minutes ago...

Code: Select all: # sha256sum etc_17021* d89396cc0e05a14c59e30652122bf7c434a739488cedef600ab935a8b5e7c77a etc_170215_2351_g0n.tar 34c4aa452480792eb7b2c564272d1771d8c3972cbf16e5f5c34eb9abfedf6f81 etc_170216_0010_g0n.tar 34c4aa452480792eb7b2c564272d1771d8c3972cbf16e5f5c34eb9abfedf6f81 etc_170216_0013_g0n.tar #

I can safely:

Code: Select all: # rm etc_170216_0013_g0n.tar

And now the iptables. I ran my script, basically the one that you can also find in the develop branch of:
https://github.com/miroR/uncenz
(currently in the develop, but later likely in master branch too)
( the now develop version should be up on github any time soon, if you're a really early reader here )

Code: Select all: uncenz-ipt-conf-states.sh

and I change the hostname part in the names of the files of it (indeed I know what those setup looked like in this host, because it is a dd-clone to-the-bit this one of the other one), and I got:

Code: Select all: $ tar xf /mnt/sr0/Virt_170215/ipt_conf_states_170215_2357_g0n.tar $ ls -l ipt_conf_states_170215_2357_g0n.d/ total 28 -rw-r--r-- 1 miro miro 942 2017-02-15 23:57 ip_addr_show_g0n -rw-r--r-- 1 miro miro 610 2017-02-15 23:57 ip_link_show_g0n -rw-r--r-- 1 miro miro 0 2017-02-15 23:57 ip_rout_show_g0n -rw-r--r-- 1 miro miro 2468 2017-02-15 23:57 ipt-t_flt-L-n-v_g0n -rw-r--r-- 1 miro miro 722 2017-02-15 23:57 ipt-t_mgl-L-n-v_g0n -rw-r--r-- 1 miro miro 571 2017-02-15 23:57 ipt-t_nat-L-n-v_g0n -rw-r--r-- 1 miro miro 291 2017-02-15 23:57 ipt-t_raw-L-n-v_g0n -rw-r--r-- 1 miro miro 114 2016-08-26 11:15 resolv_conf_g0n $

But it's a completely different story now! See just the listing:

Code: Select all: # ls -l ipt_conf_states_170216_0022_g0n.d/ total 32 -rw-r--r-- 1 root root 1542 2017-02-16 00:22 ip_addr_show_g0n -rw-r--r-- 1 root root 1137 2017-02-16 00:22 ip_link_show_g0n -rw-r--r-- 1 root root 80 2017-02-16 00:22 ip_rout_show_g0n -rw-r--r-- 1 root root 3509 2017-02-16 00:22 ipt-t_flt-L-n-v_g0n -rw-r--r-- 1 root root 836 2017-02-16 00:22 ipt-t_mgl-L-n-v_g0n -rw-r--r-- 1 root root 1063 2017-02-16 00:22 ipt-t_nat-L-n-v_g0n -rw-r--r-- 1 root root 293 2017-02-16 00:22 ipt-t_raw-L-n-v_g0n -rw-r--r-- 1 root root 114 2017-02-14 21:22 resolv_conf_g0n #

And if I run this script on the two dirs, I can peruse more in detail what libvirt did to my network:

Code: Select all: # for i in $(ls -1 ipt_conf_states_170215_2357_g0n.d/); do ls -l ipt_conf_states_170215_2357_g0n.d/$i ; read FAKE; cat ipt_conf_states_170215_2357_g0n.d/$i ; read FAKE; ls -l ipt_conf_states_170215_2357_g0n.d/$i ; read FAKE; ls -l ipt_conf_states_170216_0022_g0n.d/$i; read FAKE; cat ipt_conf_states_170216_0022_g0n.d/$i; read FAKE; ls -l ipt_conf_states_170216_0022_g0n.d/$i; read FAKE; echo diff -u ipt_conf_states_170215_2357_g0n.d/$i ipt_conf_states_170216_0022_g0n.d/$i; read FAKE; diff -u ipt_conf_states_170215_2357_g0n.d/$i ipt_conf_states_170216_0022_g0n.d/$i; read FAKE; done

Lots of changes. And only for enabling that /etc/init.d/libvirtd service.

But, it's too much work to extract the important changes (basically added a virbr0 device), so maybe I make an addenda later some time in the future...

Adding it to default:

Code: Select all: # rc-update add libvirtd default * service libvirtd added to runlevel default #

And now the logs of all this... Phew... that's a lot...

Code: Select all: # ls -lh messages_170216_0041_g0n -rw-r--r-- 1 root root 35K 2017-02-16 00:46 messages_170216_0041_g0n #

But it's clean.

And there are fine lines there containing the string:

Code: Select all: uid/euid:77/77 gid/egid:77/77, parent /usr/sbin/libvirtd[libvirtd:18800] uid/euid:0/0 gid/egid:0/0

which means libvirtd is running qemu unprivileged, as user and group qemu:qemu.

And since the learning is enabled, the RBAC is enabled, all seems to me fine, so far.

I want to enable the guest service (and using the new way, not the old way that I used to enable libvirtd).

Code: Select all: g0n ~ # rc-update add libvirt-guests * service libvirt-guests added to runlevel default g0n ~ #

And I almost forgot. Maybe it's surplus, but excess is better than deficiency...

So first, the before and after ritual...

There's:

Grsec_170215_Virt_4_tw.update_2.txt
( lost in preparations, sorry! )

And:

Code: Select all: # service libvirt-guests start * Starting libvirt networks ... [ ok ] * Starting libvirt domains ... [ ok ] #

But that didn't produce many changes at all, as I don't have any guests configured at all. And nothing important at all in the tripwire report. Next is configuring libvirt.

by **timbgo** » Fri Feb 17, 2017 3:12 pm

One of the README.gentoo, mentioned earlier, the libvirt one:

Code: Select all: ... If you have built libvirt without policykit support (USE=-policykit), you must change the unix sock group and/or perms in /etc/libvirt/libvirtd.conf in order to allow normal users to connect to libvirtd. ...

And in the /etc/libvirt/libvirtd.conf it reads (unmodified yet):

Code: Select all: # UNIX socket access controls # # Set the UNIX domain socket group ownership. This can be used to # allow a 'trusted' set of users access to management capabilities # without becoming root. # # This is restricted to 'root' by default. #unix_sock_group = "libvirt" # Set the UNIX socket permissions for the R/O socket. This is used # for monitoring VM status only # # Default allows any user. If setting group ownership, you may want to # restrict this too. #unix_sock_ro_perms = "0777" # Set the UNIX socket permissions for the R/W socket. This is used # for full management of VMs # # Default allows only root. If PolicyKit is enabled on the socket, # the default will change to allow everyone (eg, 0777) # # If not using PolicyKit and setting group ownership for access # control, then you may want to relax this too. #unix_sock_rw_perms = "0770" # Set the UNIX socket permissions for the admin interface socket. # # Default allows only owner (root), do not change it unless you are # sure to whom you are exposing the access to. #unix_sock_admin_perms = "0700" # Set the name of the directory in which sockets will be found/created. #unix_sock_dir = "/var/run/libvirt"

This diff describes how I have changed it:

Code: Select all: # diff -u etc/libvirt/libvirtd.conf /etc/libvirt/libvirtd.conf --- etc/libvirt/libvirtd.conf 2017-01-23 13:59:39.000000000 +0100 +++ /etc/libvirt/libvirtd.conf 2017-02-16 06:43:12.650088738 +0100 @@ -82,14 +82,14 @@ # without becoming root. # # This is restricted to 'root' by default. -#unix_sock_group = "libvirt" +unix_sock_group = "libvirt" # Set the UNIX socket permissions for the R/O socket. This is used # for monitoring VM status only # # Default allows any user. If setting group ownership, you may want to # restrict this too. -#unix_sock_ro_perms = "0777" +unix_sock_ro_perms = "0770" # Set the UNIX socket permissions for the R/W socket. This is used # for full management of VMs @@ -99,16 +99,16 @@ # # If not using PolicyKit and setting group ownership for access # control, then you may want to relax this too. -#unix_sock_rw_perms = "0770" +unix_sock_rw_perms = "0770" # Set the UNIX socket permissions for the admin interface socket. # # Default allows only owner (root), do not change it unless you are # sure to whom you are exposing the access to. -#unix_sock_admin_perms = "0700" +unix_sock_admin_perms = "0700" # Set the name of the directory in which sockets will be found/created. -#unix_sock_dir = "/var/run/libvirt" +unix_sock_dir = "/var/run/libvirt" #

I want to list the last entry:

Code: Select all: # ls -lRa /var/run/libvirt /var/run/libvirt: total 0 drwxr-xr-x 7 root root 220 2017-02-15 23:54 . drwxr-xr-x 18 root root 800 2017-02-15 23:54 .. drwxr-xr-x 2 root root 40 2017-02-15 23:54 hostdevmgr srwx------ 1 root root 0 2017-02-15 23:54 libvirt-admin-sock srwx------ 1 root root 0 2017-02-15 23:54 libvirt-sock srwxrwxrwx 1 root root 0 2017-02-15 23:54 libvirt-sock-ro drwxr-xr-x 2 root root 40 2017-02-14 14:57 lxc drwxr-xr-x 2 root root 80 2017-02-15 23:54 network drwxr-xr-x 2 root root 40 2017-02-15 23:54 qemu drwxr-xr-x 2 root root 40 2017-02-15 23:54 storage srwx------ 1 root root 0 2017-02-15 23:54 virtlogd-sock /var/run/libvirt/hostdevmgr: total 0 drwxr-xr-x 2 root root 40 2017-02-15 23:54 . drwxr-xr-x 7 root root 220 2017-02-15 23:54 .. /var/run/libvirt/lxc: total 0 drwxr-xr-x 2 root root 40 2017-02-14 14:57 . drwxr-xr-x 7 root root 220 2017-02-15 23:54 .. /var/run/libvirt/network: total 8 drwxr-xr-x 2 root root 80 2017-02-15 23:54 . drwxr-xr-x 7 root root 220 2017-02-15 23:54 .. -rw-r--r-- 1 root root 6 2017-02-15 23:54 default.pid -rw------- 1 root root 758 2017-02-15 23:54 default.xml /var/run/libvirt/qemu: total 0 drwxr-xr-x 2 root root 40 2017-02-15 23:54 . drwxr-xr-x 7 root root 220 2017-02-15 23:54 .. /var/run/libvirt/storage: total 0 drwxr-xr-x 2 root root 40 2017-02-15 23:54 . drwxr-xr-x 7 root root 220 2017-02-15 23:54 .. #

because I'm afraid I should have first edited, and then started the services for the perms to be fine there. Because they're not as it is... Should be either root:libvirt or qemu:libvirt or qemu:qemu, I'm not sure. Just not root:root, since libvirt runs unprivileged (has caps useflag).

How do I correct this. Will it mend itself by mere restarting the services?

Let's see.

Code: Select all: # service libvirtd restart ; service libvirt-guests restart * Caching service dependencies ... [ ok ] * Stopping libvirtd ... [ ok ] * Starting libvirtd ... [ ok ] * Stopping libvirt domains and networks for qemu:///system * Shutting down domain(s) ... * Shutting down domain(s) ... * Shutting down network(s): * default * Shutting down network(s): * Done stopping domains and networks for qemu:///system * Starting libvirt networks ... * default [ ok ] * Starting libvirt domains ... [ ok ] #

Yes there are changes. And I have to re-run "ls -lRa /var/run/libvirt" because due to the timestamp changes, the diff would be too voluminous:

Code: Select all: diff -u run_libvirt.ls-1_170216_0602 run_libvirt.ls-1_170216_0659 --- run_libvirt.ls-1_170216_0602 2017-02-16 08:19:52.132768221 +0100 +++ run_libvirt.ls-1_170216_0659 2017-02-16 06:59:25.165034991 +0100 @@ -1,43 +1,43 @@ # ls -lRa /var/run/libvirt /var/run/libvirt: total 0 -drwxr-xr-x 7 root root 220 2017-02-15 23:54 . -drwxr-xr-x 18 root root 800 2017-02-15 23:54 .. -drwxr-xr-x 2 root root 40 2017-02-15 23:54 hostdevmgr -srwx------ 1 root root 0 2017-02-15 23:54 libvirt-admin-sock -srwx------ 1 root root 0 2017-02-15 23:54 libvirt-sock -srwxrwxrwx 1 root root 0 2017-02-15 23:54 libvirt-sock-ro -drwxr-xr-x 2 root root 40 2017-02-14 14:57 lxc -drwxr-xr-x 2 root root 80 2017-02-15 23:54 network -drwxr-xr-x 2 root root 40 2017-02-15 23:54 qemu -drwxr-xr-x 2 root root 40 2017-02-15 23:54 storage -srwx------ 1 root root 0 2017-02-15 23:54 virtlogd-sock +drwxr-xr-x 7 root root 220 2017-02-16 06:56 . +drwxr-xr-x 18 root root 800 2017-02-16 06:56 .. +drwxr-xr-x 2 root root 40 2017-02-15 23:54 hostdevmgr +srwx------ 1 root libvirt 0 2017-02-16 06:56 libvirt-admin-sock +srwxrwx--- 1 root libvirt 0 2017-02-16 06:56 libvirt-sock +srwxrwx--- 1 root libvirt 0 2017-02-16 06:56 libvirt-sock-ro +drwxr-xr-x 2 root root 40 2017-02-14 14:57 lxc +drwxr-xr-x 2 root root 80 2017-02-16 06:56 network +drwxr-xr-x 2 root root 40 2017-02-15 23:54 qemu +drwxr-xr-x 2 root root 40 2017-02-15 23:54 storage +srwx------ 1 root root 0 2017-02-15 23:54 virtlogd-sock /var/run/libvirt/hostdevmgr: total 0 drwxr-xr-x 2 root root 40 2017-02-15 23:54 . -drwxr-xr-x 7 root root 220 2017-02-15 23:54 .. +drwxr-xr-x 7 root root 220 2017-02-16 06:56 .. /var/run/libvirt/lxc: total 0 drwxr-xr-x 2 root root 40 2017-02-14 14:57 . -drwxr-xr-x 7 root root 220 2017-02-15 23:54 .. +drwxr-xr-x 7 root root 220 2017-02-16 06:56 .. /var/run/libvirt/network: total 8 -drwxr-xr-x 2 root root 80 2017-02-15 23:54 . -drwxr-xr-x 7 root root 220 2017-02-15 23:54 .. --rw-r--r-- 1 root root 6 2017-02-15 23:54 default.pid --rw------- 1 root root 758 2017-02-15 23:54 default.xml +drwxr-xr-x 2 root root 80 2017-02-16 06:56 . +drwxr-xr-x 7 root root 220 2017-02-16 06:56 .. +-rw-r--r-- 1 root root 6 2017-02-16 06:56 default.pid +-rw------- 1 root root 758 2017-02-16 06:56 default.xml /var/run/libvirt/qemu: total 0 drwxr-xr-x 2 root root 40 2017-02-15 23:54 . -drwxr-xr-x 7 root root 220 2017-02-15 23:54 .. +drwxr-xr-x 7 root root 220 2017-02-16 06:56 .. /var/run/libvirt/storage: total 0 drwxr-xr-x 2 root root 40 2017-02-15 23:54 . -drwxr-xr-x 7 root root 220 2017-02-15 23:54 .. +drwxr-xr-x 7 root root 220 2017-02-16 06:56 .. #

Will that suffice, we'll see.

I'll probably really start the learning only next... I found gnunet, and I couldn't stop reading:

gnunet dependency dnssec-root checksum fail for 7 yrs old IANA XML
https://lists.gt.net/gentoo/user/323337

Done finally with gnunet for now, virtualization learning should start in earnest here. I'm back, I hope, in a while.

Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)

by **osea** » Sat Feb 18, 2017 8:53 pm

rbac has been a breeze so far. The full system learning makes policies for anything I throw at it, all except libvirt. I'm on Debian but I'm out of ideas.

Should I change learn_config?

by **spender** » Sun Feb 19, 2017 10:29 am

What gets denied still after learning on libvirt? Learning mode currently doesn't learn subject modes which may be necessary in some cases.

-Brad

by **osea** » Sun Feb 19, 2017 10:33 pm

The error concerns libvirtd not loading a vm's apparmor profile. Libvirt isolates virtual machines from one another with apparmor in addition to rest of the system. If there isn't an easy way, I wouldn't mind disabling apparmor completely if I can have rbac do per vm segregation automatically.

Errors from syslog:

Code: Select all: Feb 19 11:13:31 debian libvirtd[777]: 2017-02-19 16:13:31.785+0000: 800: error : virCommandWait:2572 : internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -p 0 -r -u libvirt-virtualdiskUID) unexpected exit status 126: libvirt: error : cannot execute binary /usr/lib/libvirt/virt-aa-helper: Permission denied Feb 19 11:13:31 debian libvirtd[777]: 2017-02-19 16:13:31.785+0000: 800: error : AppArmorGenSecurityLabel:486 : internal error: cannot load AppArmor profile 'libvirt-virtualdiskUID' Feb 19 11:13:31 debian virtlogd[1950]: 2017-02-19 16:13:31.787+0000: 1950: error : virNetSocketReadWire:1801 : End of file while reading data: Input/output error

-virtualdiskUID = redacted disk images UIDs

by **timbgo** » Tue Feb 21, 2017 5:00 am

osea wrote:The error concerns libvirtd not loading a vm's apparmor profile. Libvirt isolates virtual machines from one another with apparmor in addition to rest of the system. If there isn't an easy way, I wouldn't mind disabling apparmor completely if I can have rbac do per vm segregation automatically.
...

I wish I could help, but I run grsecurity hardening only and am not familiar with apparmor.
I expect that, if you couldn't sort out the problem in the meantime with the settings you described above, that you either asked for help with apparmor folks, or disabled apparmor.
If you try and remember to report back how you solved the issues, that will be great!

by **osea** » Tue Feb 21, 2017 12:41 pm

Not it. I disabled Apparmor and now libvirt complains about something else. it can't access a machine's logs.

Spender, when do you plan on adding subject learning modes?

by **timbgo** » Wed Feb 22, 2017 1:00 pm

osea wrote:Not it. I disabled Apparmor and now libvirt complains about something else. it can't access a machine's logs.

Spender, when do you plan on adding subject learning modes?

I'm not spender, but I don't get your question.

If it isn't me who don't understand, subject learning is what has been applied a lot in this topic.

Just search, in your browser, for ' ol', that's space oh ell, three characters, and you'll get a lot of code where it is found...

Just one example:

Code: Select all: +subject /usr/bin/virt-install ol + / h + -CAP_ALL + bind disabled + connect disabled

It's from a "diff -u <previous-version> <later-version>" output.

And in the policy it looks like:

Code: Select all: ubject /usr/bin/virt-install ol / h -CAP_ALL bind disabled connect disabled

Also, let me repaste part of your reply:

Not it. I disabled Apparmor and now libvirt complains about something else.

You really need to read the logs and understand what they say... It may be somewhat steep. It took me long, for example, and, at the current level of mine, I understand them partly... I too get lost with esp. PAX messages, still.
But I finally figured uid/gid what user runs what as what group, and similar, to get the virtualization, and, say, GnuPG programs' policy right, which I couldn't dream of getting right, say, a year ago.

And if you're asking for support, much much more info is needed what exactly goes wrong (not that anybody can promise solving it anyways)...

it can't access a machine's logs.

...more info is needed

Regards!

by **osea** » Thu Feb 23, 2017 11:32 am

Spender's response made me believe that auto subject learning is not available for full learning. I know how to do subject learning manually for simple programs. Libvirt, on the other hand, is a collection of 20-something binaries interacting together. I find subject learning difficult sometimes because it enables rbac's restrictive enforcement and it prevents the process I want learned from starting.

Spender has better things to do than teach noobs. Fair enough, but I imagined rbac can handle everything without noobs like me having to fiddle around with policy settings.

by **spender** » Thu Feb 23, 2017 8:21 pm

I didn't mean per-subject learning, but rather the automatic learning of subject modes: https://en.wikibooks.org/wiki/Grsecurit ... ject_Modes
It was just a guess as to why libvirt wouldn't be working after full learning had been performed -- without any logs, especially any RBAC denial messages, I don't have any more suggestions.

-Brad

by **osea** » Fri Feb 24, 2017 2:44 pm

I ran full system learning and exercised libvirt many times for rbac's threshold learning. Here are the only libvirt messages that appear in syslog after enforcement:

Code: Select all: debian kernel: [94707] grsec: (root:U:/usr/sbin/libvirtd) denied ptrace of /usr/lib/libvirt/virt-aa-helper by /usr/lib/libvirt/virt-aa-helper[libvirtd:2438] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:797] uid/euid:0/0 gid/egid:0/0 debian libvirtd[773]: 797: error : virCommandWait:2572 : internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -p 0 -r -u libvirt-UID) unexpected exit status 126: libvirt: error : cannot execute binary /usr/lib/libvirt/virt-aa-helper: Permission denied debian libvirtd[773]: 797: error : AppArmorGenSecurityLabel:486 : internal error: cannot load AppArmor profile 'libvirt-UID' debian virtlogd[1946]: 1946: error : virNetSocketReadWire:1801 : End of file while reading data: Input/output error debian kernel: [94712] grsec: (root:U:/usr/sbin/libvirtd) denied ptrace of /usr/lib/libvirt/virt-aa-helper by /usr/lib/libvirt/virt-aa-helper[libvirtd:2461] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:795] uid/euid:0/0 gid/egid:0/0 debian libvirtd[773]: 795: error : virCommandWait:2572 : internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -p 0 -r -u libvirt-UID) unexpected exit status 126: libvirt: error : cannot execute binary /usr/lib/libvirt/virt-aa-helper: Permission denied debian libvirtd[773]: 795: error : AppArmorGenSecurityLabel:486 : internal error: cannot load AppArmor profile 'libvirt-UID' debian virtlogd[1946]: 1946: error : virNetSocketReadWire:1801 : End of file while reading data: Input/output error

My hunch is, its libvirtd's fault for running ptrace and rbac does the right thing blocking it?

by **spender** » Fri Feb 24, 2017 6:14 pm

Try adding "O" (capital o) to the subject mode for /usr/sbin/libvirtd. I'm guessing you have a separate subject for /usr/lib/libvirt/virt-aa-helper?

-Brad

grsecurity forums

Libvirt virtualization policies

Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies

Re: Libvirt virtualization policies