I have a problem with the /sbin/udevd subject.
My log grsec :
- Code: Select all
May 13 17:17:00 localhost kernel: [ 9781.448952] grsec: (root:U:/sbin/gradm) grsecurity 3.0 RBAC system loaded by /sbin/gradm[gradm:4796] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3104] uid/euid:0/0 gid/egid:0/0
May 13 17:17:09 localhost kernel: [ 9790.144905] grsec: (root:U:/sbin/udevd) denied chmod of /dev/hidraw0 by /sbin/udevd[udevd:2762] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:1775] uid/euid:0/0 gid/egid:0/0
May 13 17:17:09 localhost kernel: [ 9790.144925] grsec: (root:U:/sbin/udevd) denied chown of /dev/hidraw0 by /sbin/udevd[udevd:2762] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:1775] uid/euid:0/0 gid/egid:0/0
May 13 17:17:09 localhost kernel: [ 9790.144942] grsec: (root:U:/sbin/udevd) denied access time change of /dev/hidraw0 by /sbin/udevd[udevd:2762] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:1775] uid/euid:0/0 gid/egid:0/0
My policy :
- Code: Select all
...
# Role: root
subject /sbin/udevd o {
/ h
/dev r
/dev/.udev rwcd
/dev/bus h
/dev/bus/usb/004 h
/dev/bus/usb/004/[0-9][0-9][0-9] w
/dev/char wcd
/dev/grsec h
/dev/hidraw0 w
/dev/hidraw2 w
/dev/input w
/dev/input/by-id wd
/dev/input/by-id/* rwcd
/dev/input/by-path wd
/dev/input/by-path/* rwcd
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/dev/vcs2 w
/dev/vcs3 w
/dev/vcs4 w
/dev/vcs5 w
/dev/vcs6 w
/dev/vcsa2 w
/dev/vcsa3 w
/dev/vcsa4 w
/dev/vcsa5 w
/dev/vcsa6 w
/lib h
/lib/udev/path_id x
/lib/udev/usb_id x
/proc h
/proc/cmdline r
/sbin h
/sbin/modprobe x
/sbin/udevd rx
/sys r
-CAP_ALL
+CAP_CHOWN
+CAP_FOWNER
+CAP_NET_ADMIN
bind disabled
connect disabled
sock_allow_family unix inet netlink
}
....
I have tried to change :
- Capability (to +CAP_ALL)
- GRKERNSEC_CHROOT_CHMOD to 0 with sysctl
- to add m and s on /dev/hidraw0 object
Sorry for my english.
Thanks for your help;
Best regards,
Romain