grsecurity forums

I modified ACLs to restrict default policy as much as possible.
Now i have such rules:

Code: Select all

role admin sA
subject / rvka
        / rwcdmlxi

role default
subject / {
        /                               h
        -CAP_ALL
        connect disabled
        bind    disabled
}

role root uG
role_transitions admin
role_allow_ip   192.168.127.29/32
role_allow_ip   0.0.0.0/32

subject /  {
        /                               h

        /dev/urandom                    r
        /dev/log                        r

        /bin                            xi

        /proc/meminfo                   r
        /proc/sys/kernel/version        r

        /lib                            rxi

        /sbin

        $glibc_gconv_libs
        $glibc_locale

        /root

        /usr/bin
        /usr/bin/clear                  x
        /usr/bin/find                   x

        /usr/sbin
        /usr/sbin/run-crons             rx

        /usr/share/zoneinfo             r

        /var/run
        /var/spool/cron/lastrun         rwcd

        -CAP_ALL
        bind    disabled
        connect disabled
}

subject /bin/bash {
        /dev

        /etc/mtab                       r
        /etc/sync_portage.sh            x
        /etc/bash/bash_logout           r

        /etc/passwd                     r
        /etc/group                      r

        /etc/profile                    r
        /etc/profile.env                r
        /etc/inputrc                    r
        /etc/bash_logout                r
        /etc/rc.conf                    r

        /etc/init.d                     r
        /etc/init.d/apmd                rx

        $dnsconf_common

        /root                           rwcdl

        $glibc_base_libs
        $ncurses_libs

        /opt
        /opt/blackdown-jdk-1.4.1/bin

        /usr
        /usr/i686-pc-linux-gnu/gcc-bin/3.3.6

        /sbin/gradm                     x
        /sbin/shutdown                  x
        /sbin/halt                      x
        /sbin/reboot                    x
        /sbin/poweroff                  x

        /usr/bin/vim                    x
        /usr/lib/portage/bin/emerge     x

        /var/spool/mail                 r
}

subject /bin/bash:/sbin/gradm o {
        /etc/grsec      r
        /etc/grsec/pw   r
        /dev/grsec      rw
        /lib rxi
        +CAP_ALL
        bind disabled
        connect disabled
}


When i enable grsecurity with gradm -E, i`m unable to disable it
or to authenticate to special admin role: i`m getting 'Invalid password' error.

No grsecurity errors in logs about bad auth or so.

My passwords are ok, if i change policy to default, all work ok.


Am i missing something with gradm rules? In docs it`s said that

# G -> This role can use gradm to authenticate to the kernel
# A policy for gradm will automatically be added to the role

maybe i`m lost some permissions that would be added otherwise automatically ?

Any help will be greatly appreciated.

Your gradm subject needs "a" in the subject mode (see the sample policy documentation) to talk to the /dev/grsec device. Also, if you're going for least-privilege, gradm doesn't need CAP_ALL.

-Brad

thanks, this resolved the problem.

for gradm CAP_IPC_LOCK is enough.