Hi
While trying grsecurity i stumbled across a problem with inheritance on subjects.
My setup is as follows:
Distribution : RedHat 7.3
Kernel : linux-2.4.19.tar.bz2 from ftp.kernel.org
filesystem : ext2 and ext3 (tried both)
grsecurity-version: 1.9.7-rc[123] kernelpatch and gradm (tried all three versions)
/etc/grsec/acl as follows:
------------ SNIP ----------------
/ {
/ r
/opt rx
/home rwx
/mnt rw
/dev rw
/dev/mem h
/dev/kmem h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rwx
/proc/sys r
/root rw
/tmp rw
/var rwx
/var/tmp rw
/var/log rw
/boot r
/etc/grsec h
}
/usr/X11R6/bin/XFree o {
/dev/mem rw
+CAP_SYS_RAWIO
}
-------------- SNIP ----------------
When i enable the ACL-system with "gradm -E" I get the following error:
"Default ACL object not found for subject /usr/X11R6/bin/XFree"
"The ACL system will not load until you correct this error."
I also tried the following ACL for subject "/usr/X11R6/bin/XFree" :
/usr/X11R6/bin/XFree {
/dev/mem rwo
+CAP_SYS_RAWIO
}
which gives me these errors in my syslog:
-Sep 1 12:18:36 mad kernel: grsec: attempt to access hidden file [03:05:8055] by (XFree86:1406) UID(0) EUID(0), parent (bash:1235) UID(0) EUID(0)
-Sep 1 12:18:36 mad kernel: grsec: CAP_SYS_RAWIO not raised for (XFree86:1406) UID(0) EUID(0), parent (bash:1235) UID(0) EUID(0)
-----
i really dont understand, whats going wrong here :( according to the dokumentation at least
my first ACL for subject "usr..XFree" should disable inheritance for "/dev/mem" and CAP_SYS_RAWIO
... or am i wrong ?
since grsecurity reallay seems to be y mature piece of software i´d be glad to learn more about it, but now i´m stuck :/
any help is welcome :)
virtual