grsecurity forums

It seems that grsec (or at least gradm) doesn't like a "." (or "-" or "_" or possibly others) in usernames and I assume groupnames. These are legal Unix names.

eg

Code: Select all

role adm.jl u
subject /
    /                               rwcdmlxi
    +CAP_ALL


leads to:

No role type specified for adm on line 102 of /etc/grsec/policy.
The RBAC system will not be allowed to be enabled until this error is fixed.

for user adm.jl which BTW is correctly interpreted by the gradm learning.

Much the same happens if I put a user as a member of a user domain although the message is slightly different:

User adm on line 102 of /etc/grsec/policy does not exist.

Is there a simple fix?

I guess it is actually gradm that is the problem.

(I posted this on the mailing list but that is rather less busy than this it seems nowadays!)

In the time-honoured habit of answering my own question, I poked through the source, found the regex's that control the name and modified them. Grep now gives:

Code: Select all

gradm_fulllearn_pass1.l:ROLENAME [a-zA-Z0-9._-]{1,30}
gradm_fulllearn_pass2.l:ROLENAME [a-zA-Z0-9._-]{1,30}
gradm_fulllearn_pass3.l:ROLENAME [a-zA-Z0-9._-]{1,30}
gradm.l:<ROLE_STATE>[a-zA-Z0-9._-]{1,30}                {
gradm.l:<DOMAIN_STATE>[a-zA-Z0-9._-]{1,30}      {
gradm.l:<DOMAINLIST_STATE>[a-zA-Z0-9._-]{1,30}  {
gradm.l:<ROLETRANS_STATE>[a-zA-Z0-9._-]{1,30}   {
gradm.l:<IDTRANS_STATE>[a-zA-Z0-9._-]{1,30}     {
gradm_learn_pass1.l:ROLENAME [a-zA-Z0-9._-]{1,30}
gradm_learn_pass2.l:ROLENAME [a-zA-Z0-9._-]{1,30}


Note that I altered the regexes from [_a-zA-Z0-9-] to [a-zA-Z0-9._-] as the _ didn't appear to work.

It now recognises usernames with a period but in the make procedure, the 5 learning routines all produced a warning:

"./gradm_fulllearn_pass1.l", line 46: warning, rule cannot be matched

- note at the same line number for all.

Any flex clues welcome. I don't yet know whether learning will work.