Abnormal behaviour of RBAC system
Posted: Sat Jan 28, 2006 11:25 pm
I upgraded to grsecurity-2.1.8 from 2.1.6 today and ran into some trouble. My issue involves connecting to /dev/log.
When the RBAC system is first enabled, everything appears to work ok. However, when I send the HUP signal to syslog-ng, the RBAC system denys any further attempts to use /dev/log. Following is a little demonstration:
And the corresponding logs produced:
As you can see, when /dev/log becomes inaccessable, simply disabling and enabling (restarting works too) the RBAC system rectifies the problem.
Also, if someone knows how to stop the chown and chmod messages produced by syslog-ng, I would love to hear them. Following are my ACL's for syslog-ng and logger.
Note that logger extends the default policy where /dev has find access.
Look forward to your replies.
Cheers,
Brad
When the RBAC system is first enabled, everything appears to work ok. However, when I send the HUP signal to syslog-ng, the RBAC system denys any further attempts to use /dev/log. Following is a little demonstration:
- Code: Select all
radon ~ # logger start
radon ~ # gradm -a admin
radon ~ # gradm -a admin
Password:
radon ~ # killall -HUP syslog-ng
radon ~ # gradm -u
radon ~ # logger "this will fail"
radon ~ # gradm -D
Password:
radon ~ # gradm -E
radon ~ # logger "works again"
And the corresponding logs produced:
- Code: Select all
Jan 29 14:17:09 radon logger: start
Jan 29 14:17:25 radon grsec: From 202.173.182.14: (default:D:/sbin/gradm) successful change to special role admin (id 77) by /sbin/gradm[gradm:8076] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:18860] uid/euid:0/0 gid/egid:0/0
Jan 29 14:17:33 radon syslog-ng[1768]: SIGHUP received, restarting syslog-ng
Jan 29 14:17:35 radon syslog-ng[1768]: new configuration initialized
Jan 29 14:17:35 radon syslog-ng[1768]: Changing permissions on special file /dev/tty12
Jan 29 14:17:35 radon syslog-ng[1768]: Changing permissions on special file /dev/tty12
Jan 29 14:17:35 radon grsec: From 202.173.182.14: (default:D:/usr/sbin/syslog-ng) denied chown of /dev/log by /usr/sbin/syslog-ng[syslog-ng:1768] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Jan 29 14:17:35 radon grsec: From 202.173.182.14: (default:D:/usr/sbin/syslog-ng) denied chmod of /dev/log by /usr/sbin/syslog-ng[syslog-ng:1768] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Jan 29 14:17:39 radon grsec: From 202.173.182.14: (admin:S:/) successful unauth of special role admin (id 77) by /sbin/gradm[gradm:16750] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:18860] uid/euid:0/0 gid/egid:0/0
Jan 29 14:18:08 radon grsec: From 202.173.182.14: (default:D:/usr/bin/logger) denied connect() to the unix domain socket /dev/log by /usr/bin/logger[logger:27755] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:18860] uid/euid:0/0 gid/egid:0/0
Jan 29 14:18:29 radon grsec: From 202.173.182.14: shutdown auth success for /sbin/gradm[gradm:27561] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:18860] uid/euid:0/0 gid/egid:0/0
Jan 29 14:18:31 radon grsec: From 202.173.182.14: (default:D:/sbin/gradm) grsecurity 2.1.8 RBAC system loaded by /sbin/gradm[gradm:7745] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:18860] uid/euid:0/0 gid/egid:0/0
Jan 29 14:18:42 radon logger: works again
As you can see, when /dev/log becomes inaccessable, simply disabling and enabling (restarting works too) the RBAC system rectifies the problem.
Also, if someone knows how to stop the chown and chmod messages produced by syslog-ng, I would love to hear them. Following are my ACL's for syslog-ng and logger.
- Code: Select all
subject /usr/sbin/syslog-ng dpo {
/ h
/etc h
/etc/ld.so.cache r
/etc/syslog-ng/syslog-ng.conf r
/etc/resolv.conf r
/etc/syslog-ng r
/etc/group r
/etc/passwd r
/lib rx
/proc h
/proc/kmsg r
/usr h
/usr/sbin/syslog-ng rx
/usr/share/zoneinfo r
/var h
/var/log rwc
/var/run
/var/run/syslog-ng.pid w
/var/lib/config_repository h
/dev
/dev/log rwcd
/dev/null rw
/dev/urandom r
/dev/tty12 rw
/dev/vc
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
-CAP_ALL
+CAP_MKNOD
+CAP_FSETID
+CAP_CHOWN
bind disabled
connect disabled
}
subject /usr/bin/logger {
/dev/log rw
/var/run/utmp rw
}
Note that logger extends the default policy where /dev has find access.
Look forward to your replies.
Cheers,
Brad