grsecurity forums

Posted: **Wed Nov 28, 2007 3:41 pm**

I am running Fedora 7 (I have experienced this on both 32 bit and 64 bit). Under 2.6.19 and 2.6.23.9 i get the exact same behavior. With RBAC enabled i try to log in and after typing in the username the system sits for a second then resets login. The only message in the logs is from login and reads:

Code: Select all: localhost login: FATAL: bad tty

I have no idea what significance this has but i have found an interesting procedure that results in a successful login.

Step 1: With RBAC turned off try and log into a terminal giving a inforrect username and password.
Step 2: Switch to a different terminal enable RBAC.
Step 3: Return to the terminal mentioned in step 1 and supply a correct username and password, this time you are logged in successfully.

My RBAC template for login:

Code: Select all: subject /bin/login do { / rx /bin/bash x /dev r /dev/log rw /dev/random r /dev/urandom r /dev/null rw /dev/ptmx rw /dev/pts rw /dev/tty rw /dev/tty? rw /etc r /etc/grsec h /root /proc r /proc/*/loginuid rw /proc/kcore h /proc/sys h /proc/sys/kernel/ h /proc/sys/kernel/ngroups_max r /usr/lib rx /usr/share/zoneinfo r /var/log /var/mail /var/log/faillog rcw /var/log/lastlog rcw /var/log/wtmp w /var/log/btmp w /var/run/utmp rw /var/run/btmp rw /var/run/console r /var/run/console/* rwcd /var/run/dbus/system_bus_socket rw -CAP_ALL +CAP_CHOWN +CAP_SETGID +CAP_SETUID +CAP_SYS_CHROOT +CAP_SYS_RESOURCE +CAP_SYS_TTY_CONFIG +CAP_NET_ADMIN RES_CORE 10M 10M }

RBAC Policy for mingetty:

Code: Select all: subject /sbin/mingetty { /dev /proc rx /proc/sys h /dev/log rw /var/log/wtmp rw /dev/vc* rw /dev/tty* rw /dev/pts* rw -CAP_ALL +CAP_CHOWN +CAP_SYS_TTY_CONFIG }

Posted: **Wed Nov 28, 2007 7:09 pm**

I think I had a similar issue with ttys, but with sshd. What happens if you remove the 'd' from the /bin/login subject?

Posted: **Thu Nov 29, 2007 10:15 am**

zakalwe wrote:I think I had a similar issue with ttys, but with sshd. What happens if you remove the 'd' from the /bin/login subject?

If i remove the d i can get a little further (it lets me put in my password). The end result is the same, no error, just a new login screen.

Posted: **Wed Dec 19, 2007 3:40 pm**

I realize this post is a little old, but anyway, here is what I did. I was in the same situation with Fedora 7, and this worked for me. And yes, I do realize there is a CAP_ALL.

Code: Select all: subject /bin/login o { / rx /etc/shadow r /bin/bash x /dev r /dev/log rw /dev/random r /dev/urandom r /dev/null rw /dev/ptmx rw /dev/pts rw #/dev/tty rw #/dev/tty? rw /dev/tty0 rw /dev/tty1 rw /dev/tty2 rw /dev/tty3 rw /dev/tty4 rw /dev/tty5 rw /dev/tty6 rw /dev/tty7 rw /dev/tty8 rw /dev/console rw /dev/tty rw /etc r /etc/grsec h /root /proc r /proc/*/loginuid rw /proc/kcore h /proc/sys h /proc/sys/kernel/ h /proc/sys/kernel/ngroups_max r /usr/lib rx /usr/share/zoneinfo r /var/log /var/mail /var/log/faillog rcw /var/log/lastlog rcw /var/log/wtmp w /var/log/btmp w /var/run/utmp rw /var/run/btmp rw /var/run/console r /var/run/console/* rwcd /var/run/dbus/system_bus_socket rw +CAP_CHOWN +CAP_SETGID +CAP_SETUID +CAP_FOWNER +CAP_FSETID +CAP_SYS_TTY_CONFIG +CAP_DAC_OVERRIDE +CAP_NET_ADMIN -CAP_SYS_CHROOT -CAP_SYS_RESOURCE -CAP_NET_BIND_SERVICE -CAP_DAC_READ_SEARCH -CAP_IPC_LOCK -CAP_IPC_OWNER -CAP_KILL -CAP_LEASE -CAP_LINUX_IMMUTABLE -CAP_MKNOD -CAP_NET_BROADCAST -CAP_NET_RAW -CAP_SETPCAP -CAP_SYS_ADMIN -CAP_SYS_BOOT -CAP_SYS_MODULE -CAP_SYS_NICE -CAP_SYS_PACCT -CAP_SYS_PTRACE -CAP_SYS_RAWIO -CAP_SYS_TIME RES_CORE 10M 10M }

grsecurity forums

Login being denied without error in Fedora 7

Login being denied without error in Fedora 7