we have a problem with our policy. It's generally a basic question, since we have no idea why a user role is working, but if we try to use a group role for more users which should have the same permissions (in reference to their own homedirectories etc) it simply doesnt work. We try to get "/bin/su" working to make it possible for users in the wheel group to get root permissions. If we use a user role for the user "vulture" for example, the policy works fine. If we change "role vulture u" into "role users g" su doesnt work any more. We get "initgroups: operation not permitted" all the time.
The policy which doesnt work looks like this:
- Code: Select all
role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}
role admin sA
subject / rvka
/ rwcdmlxi
role root uG
role_transitions admin
subject / {
/ h
/bin h
/bin/grep x
/dev h
/dev/initctl
/dev/urandom r
/etc h
/etc/DIR_COLORS r
/etc/ld.so.cache r
/lib h
/lib/ld-2.3.5.so x
/lib/libc-2.3.5.so rx
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/bash o {
/ h
/bin h
/bin/bash x
/bin/grep x
/etc r
/etc/grsec h
/etc/ssh h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/lib rx
/proc h
/proc/meminfo r
/sbin h
/sbin/gradm x
/var h
/var/run
/dev
/dev/null w
/dev/tty rw
/dev/urandom r
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
/root/.bash_history rw
/root/.bash_profile r
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/sbin/sshd o {
user_transition_allow root
group_transition_allow root
/
/bin h
/bin/bash
/dev h
/dev/log rw
/dev/null rw
/dev/ptmx rw
/dev/pts rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/usr h
/usr/lib rx
/usr/sbin/sshd x
/usr/share/zoneinfo r
/var h
/var/empty
/var/log
/var/log/lastlog rw
/var/log/wtmp w
/var/run
/var/run/utmp rw
/home
/home/*
/home/*/.ssh
/home/*/.ssh/authorized_keys r
/lib rx
/proc
/proc/sys/kernel/ngroups_max r
/proc/kcore h
/proc/bus h
/sys h
-CAP_ALL
+CAP_CHOWN
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
bind 0.0.0.0/32:22 stream dgram ip tcp
bind 0.0.0.0/32:0 stream dgram ip tcp
connect 0.0.0.0/32:22 dgram udp
connect 194.25.2.129/32:53 dgram udp
}
subject /bin/su o {
/ h
/bin/bash x
/dev/log rw
/root
/usr/share/zoneinfo
-CAP_ALL
bind disabled
connect disabled
}
role sshd u
subject / {
/ h
/var/empty
-CAP_ALL
bind disabled
connect disabled
}
role users g
subject / {
user_transition_allow root
group_transition_allow root
/ h
/bin x
/etc r
/etc/grsec h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp h
/home h
/home/* rwxcda
/lib rx
/tmp rw
/sbin
/sbin/gradm x
/var
/var/run
/var/spool/mail
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/kmem h
/dev/mem h
/dev/port h
/usr
/usr/bin rx
/usr/lib rx
/usr/share h
/usr/share/locale r
/proc
/proc/meminfo r
/proc/sys/kernel/ngroups_max r
/proc/kcore h
/proc/bus h
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/su o {
user_transition_allow root
group_transition_allow users
/ h
/root
/bin h
/bin/su x
/dev h
/dev/log rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/ssh h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/lib rx
/usr h
/usr/lib/locale/en_US/LC_CTYPE r
/usr/share/locale r
/usr/share/zoneinfo r
/var h
/var/run
/var/run/utmp rw
/proc
/proc/sys/kernel/ngroups_max r
/proc/kcore h
/proc/bus h
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}
subject /usr/sbin/sshd o {
/ h
/bin h
/bin/bash x
/dev h
/dev/log rw
/dev/pts rw
/dev/tty rw
/etc h
/etc/security/pam_env.conf r
/home r
/usr h
/usr/share/zoneinfo
-CAP_ALL
bind disabled
connect disabled
}
Now the policy which works. The only difference you'll see is that "role users g" is replaced with "role vulture u". If we define user roles, su works fine. The error occurs if we try to write a group role for users.
- Code: Select all
role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}
role admin sA
subject / rvka
/ rwcdmlxi
role root uG
role_transitions admin
subject / {
/ h
/bin h
/bin/grep x
/dev h
/dev/initctl
/dev/urandom r
/etc h
/etc/DIR_COLORS r
/etc/ld.so.cache r
/lib h
/lib/ld-2.3.5.so x
/lib/libc-2.3.5.so rx
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/bash o {
/ h
/bin h
/bin/bash x
/bin/grep x
/etc r
/etc/grsec h
/etc/ssh h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/lib rx
/proc h
/proc/meminfo r
/sbin h
/sbin/gradm x
/var h
/var/run
/dev
/dev/null w
/dev/tty rw
/dev/urandom r
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
/root/.bash_history rw
/root/.bash_profile r
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/sbin/sshd o {
user_transition_allow root
group_transition_allow root
/
/bin h
/bin/bash
/dev h
/dev/log rw
/dev/null rw
/dev/ptmx rw
/dev/pts rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/usr h
/usr/lib rx
/usr/sbin/sshd x
/usr/share/zoneinfo r
/var h
/var/empty
/var/log
/var/log/lastlog rw
/var/log/wtmp w
/var/run
/var/run/utmp rw
/home
/home/*
/home/*/.ssh
/home/*/.ssh/authorized_keys r
/lib rx
/proc
/proc/sys/kernel/ngroups_max r
/proc/kcore h
/proc/bus h
/sys h
-CAP_ALL
+CAP_CHOWN
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
bind 0.0.0.0/32:22 stream dgram ip tcp
bind 0.0.0.0/32:0 stream dgram ip tcp
connect 0.0.0.0/32:22 dgram udp
connect 194.25.2.129/32:53 dgram udp
}
subject /bin/su o {
/ h
/bin/bash x
/dev/log rw
/root
/usr/share/zoneinfo
-CAP_ALL
bind disabled
connect disabled
}
role sshd u
subject / {
/ h
/var/empty
-CAP_ALL
bind disabled
connect disabled
}
role vulture u
subject / {
user_transition_allow root
group_transition_allow root
/ h
/bin x
/etc r
/etc/grsec h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp h
/home h
/home/* rwxcda
/lib rx
/tmp rw
/sbin
/sbin/gradm x
/var
/var/run
/var/spool/mail
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/kmem h
/dev/mem h
/dev/port h
/usr
/usr/bin rx
/usr/lib rx
/usr/share h
/usr/share/locale r
/proc
/proc/meminfo r
/proc/sys/kernel/ngroups_max r
/proc/kcore h
/proc/bus h
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/su o {
user_transition_allow root
group_transition_allow users
/ h
/root
/bin h
/bin/su x
/dev h
/dev/log rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/ssh h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/lib rx
/usr h
/usr/lib/locale/en_US/LC_CTYPE r
/usr/share/locale r
/usr/share/zoneinfo r
/var h
/var/run
/var/run/utmp rw
/proc
/proc/sys/kernel/ngroups_max r
/proc/kcore h
/proc/bus h
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}
subject /usr/sbin/sshd o {
/ h
/bin h
/bin/bash x
/dev h
/dev/log rw
/dev/pts rw
/dev/tty rw
/etc h
/etc/security/pam_env.conf r
/home r
/usr h
/usr/share/zoneinfo
-CAP_ALL
bind disabled
connect disabled
}
Are there any hints or any other things we should keep in mind while we try to write a generalized policy? The documentation isnt as good as one would like it to be. We've tried to find something via google and searched the forums. Nothing. It would be very nice if somebody could point us into a direction which could lead to a working policy. Thanks a lot.
