grsecurity forums

Skip to content

CAP_MKNOD bing ignored

Submit your RBAC policies or suggest policy improvements
Topic locked

CAP_MKNOD bing ignored

Postby validius » Sun Feb 04, 2007 10:50 am

I'm getting these errors in respect to udev:

Code: Select all
Feb  4 10:53:54 lumberjack kernel: grsec: (default:D:/) denied connect() to the unix domain socket /dev/log by /sbin/udevd[udevd:953] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb  4 10:53:54 lumberjack kernel: grsec: (default:D:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/udevd[udevd:953] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb  4 10:53:54 lumberjack kernel: grsec: (default:D:/) denied mkdir of /dev/.udev/queue by /sbin/udevd[udevd:953] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb  4 10:53:54 lumberjack kernel: grsec: (default:D:/) denied mknod of /dev/vcs9 by /sbin/udevd[udevd:17100] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:953] uid/euid:0/0 gid/egid:0/0


My udev profule looks like:

Code: Select all
subject /sbin/udev {
        /dev
        /dev/vcs        rwm
        /dev/vcs*       rwcdm
        /dev/.udevdb    rwcd
        /dev/.udev      rwcd
        /dev/log        rw

        connect 0.0.0.0/0:0 stream

        -CAP_ALL
        +CAP_CHOWN
        +CAP_MKNOD
        +CAP_SYS_TTY_CONFIG
}


As far as i can tell its ignoring the references to /dev, the +CAP_MKNOD and the connect like as well.

Here is my default subject:
Code: Select all
subject /
        /               rx
        /opt            rx
        /home           rx
        /mnt            rw
        /dev
        /dev/grsec      h
        /dev/urandom    r
        /dev/random     r
        /dev/zero       rw
        /dev/input      rw
        /dev/psaux      rw
        /dev/null       rw
        /dev/tty0       rw
        /dev/tty1       rw
        /dev/tty2       rw
        /dev/tty3       rw
        /dev/tty4       rw
        /dev/tty5       rw
        /dev/tty6       rw
        /dev/tty7       rw
        /dev/tty8       rw
        /dev/tty9       rw
        /dev/console    rw
        /dev/tty        rw
        /dev/pts        rw
        /dev/ptmx       rw
        /dev/initctl    rw
        /dev/fd0        r
        /dev/cdrom      r
        /dev/mem        h
        /dev/kmem       h
        /dev/port       h
        /bin            rx
        /sbin           rx
        /lib            rx
        /usr            rx
        /etc            rx
        /proc           rwx
        /proc/kcore     h
        /proc/sys       r
        /root           r
        /tmp            rwcd
        /var            rwxcd
        /var/tmp        rwcd
        /var/log        r
        /boot           r
        /etc/grsec      h
        /etc/ssh        h
        /etc/shadow     h
       /proc/sys/kernel/version r
        /proc/self              r
        /proc/self/loginuid             rw
# if sshd needs to be restarted, it can be done through the admin role

        -CAP_KILL
        -CAP_SYS_TTY_CONFIG
        -CAP_LINUX_IMMUTABLE
        -CAP_NET_RAW
        -CAP_MKNOD
        -CAP_SYS_ADMIN
        -CAP_SYS_RAWIO
        -CAP_SYS_MODULE
        -CAP_SYS_PTRACE
        -CAP_NET_ADMIN
        -CAP_NET_BIND_SERVICE
        -CAP_SYS_CHROOT
        -CAP_SYS_BOOT

        bind disabled
        connect disabled


I cant seem to find any inheritance problem that would override these settings. All the same, something appears to be overriding them.
validius
 
Posts: 2
Joined: Mon Oct 16, 2006 4:17 pm
Top

Postby spender » Wed Feb 07, 2007 10:19 pm

Note the name of the binary in the grsec logs and the name of your subject (/sbin/udevd vs /sbin/udev)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top
Topic locked

Return to RBAC policy development

Powered by phpBB® Forum Software © phpBB Group