I'm a genntoo (hardened) user since more than a year but now there is a problem that cannot resolve.
My kernel is compiled with following options:
- Code: Select all
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y
#
# Address Space Protection
#
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
# CONFIG_GRKERNSEC_HIDESYM is not set
#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
I installed gradm version 2.1.9.200602141850 and setup two passwords for RBAC system as it follows
- Code: Select all
# gradm -P
Setting up grsecurity RBAC password
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
and
- Code: Select all
# gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
At this stage I was able to start and stop RBAC system with "gradm -D" & "gradm -E".
Then started gradm in learning mode with:
- Code: Select all
# gradm -F -L /etc/grsec/learn_config
and after a week
- Code: Select all
gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.roles
So the problem is that now I cannot disable or enable (it's enabled at this moment) RBAC - every try fails with "Invalid password". I'm pretty sure that passwords are correct.
I've tried to change the passwords and gradm seem to accepts new ones with no errors - "Password written to /etc/grsec/pw." but still cannot manage RBAC because of "Invalid password"
I've found similar problem like this in you forum and following the topic executed:
- Code: Select all
# strace gradm -D
execve("/sbin/gradm", ["gradm", "-D"], [/* 26 vars */]) = 0
uname({sys="Linux", node="senser", ...}) = 0
brk(0) = 0x80923d8
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=26533, ...}) = 0
mmap2(NULL, 26533, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4c103000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0PP\1\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1228712, ...}) = 0
mmap2(NULL, 1158300, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4bfe8000
madvise(0x4bfe8000, 1158300, MADV_SEQUENTIAL|0x1) = 0
mmap2(0x4c0fd000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x115) = 0x4c0fd000
mmap2(0x4c101000, 7324, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4c101000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4bfe7000
mprotect(0x4c0fd000, 4096, PROT_READ) = 0
mprotect(0x8080000, 4096, PROT_READ) = 0
mprotect(0x4c120000, 4096, PROT_READ) = 0
set_thread_area({entry_number:-1 -> 6, base_addr:0x4bfe78c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0x4c103000, 26533) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "\206\304\326m", 4) = 4
close(3) = 0
geteuid32() = 0
getuid32() = 0
uname({sys="Linux", node="senser", ...}) = 0
setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0}) = 0
brk(0) = 0x80923d8
brk(0x80b33d8) = 0x80b33d8
brk(0x80b4000) = 0x80b4000
getcwd("/etc/grsec", 4095) = 11
mlock(0x5ab042f0, 256) = 0
ioctl(0, TIOCEXCL, 0) = 0
open("/dev/grsec", O_WRONLY) = 3
write(3, "\0000\260Z\31\2\0\0\34\1\0\0", 12) = -1 EPERM (Operation not permitted)
close(3) = 0
mlock(0x5ab02fd0, 256) = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4c109000
write(1, "Password: ", 10Password: ) = 10
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon -echo ...}) = 0
read(0,
Please provide some information where the problem is.
Thank you for your time in advance.