Now i have such rules:
- Code: Select all
role admin sA
subject / rvka
/ rwcdmlxi
role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}
role root uG
role_transitions admin
role_allow_ip 192.168.127.29/32
role_allow_ip 0.0.0.0/32
subject / {
/ h
/dev/urandom r
/dev/log r
/bin xi
/proc/meminfo r
/proc/sys/kernel/version r
/lib rxi
/sbin
$glibc_gconv_libs
$glibc_locale
/root
/usr/bin
/usr/bin/clear x
/usr/bin/find x
/usr/sbin
/usr/sbin/run-crons rx
/usr/share/zoneinfo r
/var/run
/var/spool/cron/lastrun rwcd
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/bash {
/dev
/etc/mtab r
/etc/sync_portage.sh x
/etc/bash/bash_logout r
/etc/passwd r
/etc/group r
/etc/profile r
/etc/profile.env r
/etc/inputrc r
/etc/bash_logout r
/etc/rc.conf r
/etc/init.d r
/etc/init.d/apmd rx
$dnsconf_common
/root rwcdl
$glibc_base_libs
$ncurses_libs
/opt
/opt/blackdown-jdk-1.4.1/bin
/usr
/usr/i686-pc-linux-gnu/gcc-bin/3.3.6
/sbin/gradm x
/sbin/shutdown x
/sbin/halt x
/sbin/reboot x
/sbin/poweroff x
/usr/bin/vim x
/usr/lib/portage/bin/emerge x
/var/spool/mail r
}
subject /bin/bash:/sbin/gradm o {
/etc/grsec r
/etc/grsec/pw r
/dev/grsec rw
/lib rxi
+CAP_ALL
bind disabled
connect disabled
}
When i enable grsecurity with gradm -E, i`m unable to disable it
or to authenticate to special admin role: i`m getting 'Invalid password' error.
No grsecurity errors in logs about bad auth or so.
My passwords are ok, if i change policy to default, all work ok.
Am i missing something with gradm rules? In docs it`s said that
# G -> This role can use gradm to authenticate to the kernel
# A policy for gradm will automatically be added to the role
maybe i`m lost some permissions that would be added otherwise automatically ?
Any help will be greatly appreciated.