The 1.9.x release will be available with the future release of kernels...or it is
death ?
thx & bye
ok then 2.0 is out but...
6 posts
• Page 1 of 1
ok then 2.0 is out but...
by buzzzo » Sat Apr 17, 2004 10:44 am
- buzzzo
- Posts: 6
- Joined: Tue Feb 18, 2003 12:41 pm
Re: ok then 2.0 is out but...
by hightower » Sat Apr 17, 2004 11:37 am
buzzzo wrote:The 1.9.x release will be available with the future release of kernels...or it is
death ?
1.9.x will be deleted within the next few months. Brad will probably fix important bugs, but yes, it'll be dead soon. Depends, if there will be another one for 2.4.27, depends when 2.4.27 will become available
Anyway, you all should move to grsec2.
ciao, Marc
- hightower
- Posts: 49
- Joined: Wed Mar 06, 2002 11:36 am
by buzzzo » Sat Apr 17, 2004 1:56 pm
Mmmm ..problably this is not good for who has a lot of grsec 1.9.x in production ...anyway seems the full learning mode of 2.0 very good .....
the lack of acl 2.0 docs i think is the biggest problem for who (like me) has
written 1.9.x acl .
Thx and Ciao.
the lack of acl 2.0 docs i think is the biggest problem for who (like me) has
written 1.9.x acl .
Thx and Ciao.
- buzzzo
- Posts: 6
- Joined: Tue Feb 18, 2003 12:41 pm
by spender » Sun Apr 18, 2004 2:38 pm
it will work with very minimal modifications. To convert your 1.9 acl to a 2.0 ruleset, follow these rules:
add an admin role at the top of /etc/grsec/acl:
Then add a default role, which will encompass all your 1.9 subjects:
In 2.0, the { }'s enclosing the object definitions are not necessary, but "subject" needs to come before the pathname for the subject.
So a subject would look like:
You also don't group together connect and bind rules with { }'s. They are now done with one connect or bind rule per line, like so:
Additionally, since grsecurity 2.0 supports more fine grained object permissions, if a process needs to create a file, then the object needs "c" added to its object mode in addition to "w". If a process needs to delete a file, then the object needs "d" added to its object mode in addition to "w".
That's all there is to it. Except for the creation/deletion it's just formatting changes.
-Brad
add an admin role at the top of /etc/grsec/acl:
- Code: Select all
role admin sA
subject / r
/ rwcdmxi
Then add a default role, which will encompass all your 1.9 subjects:
- Code: Select all
role default G
role_transitions admin
In 2.0, the { }'s enclosing the object definitions are not necessary, but "subject" needs to come before the pathname for the subject.
So a subject would look like:
- Code: Select all
subject /bin/su
/tmp/blah rw
+CAP_SETUID
You also don't group together connect and bind rules with { }'s. They are now done with one connect or bind rule per line, like so:
- Code: Select all
connect 192.168.1.0/24:22 stream tcp
connect 192.168.2.0/24:20-21 stream tcp
bind 0.0.0.0 stream dgram tcp udp
Additionally, since grsecurity 2.0 supports more fine grained object permissions, if a process needs to create a file, then the object needs "c" added to its object mode in addition to "w". If a process needs to delete a file, then the object needs "d" added to its object mode in addition to "w".
That's all there is to it. Except for the creation/deletion it's just formatting changes.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
by olrick » Tue Apr 20, 2004 9:22 am
I followed the rules you gave to convert my 1.9 ACL into the 2.0 format and it didn't work.
As soon as I enable grsec with Gradm -E my CPU reach 100% and I get these messages in syslog :
I tried with the default "acl" file that comes with the gradm installation, but it gives exactly the same problem.
Any idea ?
Thanks a lot
Regards
As soon as I enable grsec with Gradm -E my CPU reach 100% and I get these messages in syslog :
- Code: Select all
kernel: Cannot read proc file system: 1 - Operation not permitted.
last message repeated 152695 times
I tried with the default "acl" file that comes with the gradm installation, but it gives exactly the same problem.
Any idea ?
Thanks a lot
Regards
- olrick
- Posts: 1
- Joined: Tue Apr 20, 2004 9:14 am
6 posts
• Page 1 of 1