Page 1 of 1

Feature Suggestion: Clarify gradm warning output

PostPosted: Sun Dec 07, 2014 6:13 pm
by tjh
Tweaking my policy file and checking it, I get the following:

Code: Select all
root@beaker:/etc/grsec# gradm -C
Warning: write access is allowed to your subject for /home/USER/USER/USER.conf in role muppet.  Please ensure that the subject is running with less privilege than the default subject.
Warning: You have enabled some form of learning on the subject for /usr/lib/postfix/smtpd in role root.  You have not used -L on the command line however.  If you wish to use learning on this subject, use the -L argument to gradm.  Otherwise, remove the learning flag on this subject.
Warning: permission for symlink /bin/sh in role www-data, subject /usr/bin/php5 does not match that of its matching target object /bin/dash.  Symlink is specified on line 3365 of /etc/grsec/policy.
Warning: permission for symlink /etc/alternatives/php in role www-data, subject /bin/dash does not match that of its matching target object /usr/bin.  Symlink is specified on line 3335 of /etc/grsec/policy.
Warning: permission for symlink /usr/lib/sendmail in role log2mail, subject / does not match that of its matching target object /usr/sbin/sendmail.  Symlink is specified on line 3172 of /etc/grsec/policy.
Warning: permission for symlink /etc/resolv.conf in role tim, subject /usr/local/dropbox/dropbox does not match that of its matching target object /run/resolvconf/resolv.conf.  Symlink is specified on line 3010 of /etc/grsec/policy.
Warning: permission for symlink /etc/resolv.conf in role tim, subject /bin/ping does not match that of its matching target object /run/resolvconf/resolv.conf.  Symlink is specified on line 2491 of /etc/grsec/policy.
Warning: permission for symlink /usr/lib/i386-linux-gnu/libck-connector.so.0 in role root, subject /usr/sbin/cron does not match that of its matching target object /usr/lib/i386-linux-gnu/libck-connector.so.0.0.0.  Symlink is specified on line 1542 of /etc/grsec/policy.
Warning: permission for symlink /bin/sh in role root, subject /usr/sbin/cron does not match that of its matching target object /bin/dash.  Symlink is specified on line 1518 of /etc/grsec/policy.
Warning: permission for symlink /proc/mounts in role root, subject /usr/bin/lsof does not match that of its matching target object /proc.  Symlink is specified on line 607 of /etc/grsec/policy.
There were 1 holes found in your RBAC configuration.  These must be fixed before the RBAC system will be allowed to be enabled.


What's interesting is that they're all "Warning" but in fact, one of them (the fact I've left learning enabled) is actually an error.

I think that:

a) The "holes" message shouldn't be shown when -C is used (rather the warning should be there) and the last line could be omitted (it's not a hole when you're checking)
b) If I try to actually enable the RBAC policy without the learning flag, the Learning Message should be changed from a Warning to an Error so that the actual "It won't apply because of this" error is clear.

Just a suggestion.

Tim

Re: Feature Suggestion: Clarify gradm warning output

PostPosted: Sun Dec 07, 2014 8:14 pm
by spender
Hi Tim,

Thanks, I just fixed the prefix (there was another instance as well) in git.
https://cvsweb.grsecurity.net/?p=gradm. ... 11c1ffefe1

-Brad