gradm generates corrupted policy
Posted: Fri Jan 14, 2011 12:39 pm
Hey,
I'm having an lxc - grsec setup (4 lxc containers running on a grsec enabled host system). After being for 2 days in full learn mode I've tried to generate the policy for gradm.
This was successfull, however when I checked the policy with gradm -C, gradm spits out several errors:
In order to fix this error I removed the subject entries for lockfile-remote and lockfile-touch which spits out just the same error.
Afterwards I get the notification that /dev/ is not hidden for the user "man", after fixing this gradm -C doesn yell around anymore.
But after loading the policy with gradm -E dmesg outputs a LOT of denied access to quite common files, which are (in my eyes) readable according to the policy:
All system services (httpd, smtpd, ejabberd, imapd, etc.) stop to work immidately, ssh is running without problems.
Is this kind of behaviour normal for RBAC? I supposed the full learning mode to generate a working copy so that the daemons which were running during the learning phase can run without problems when the policy is activated. If anybody has a clue what is going on here, it would be nice to get a hint.
Thanks in advance
ps: I can of course provide the complete policy and learning.log file if necessary
Here are some of the dmesg entries, just for reference:
[279227.044125] grsec: From 134.61.86.234: (root:U:/sbin/klogd) denied access to hidden file /etc/localtime by /sbin/klogd[klogd:2990] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1728] uid/euid:0/0 gid/egid:0/0
[278976.869691] grsec: From 134.61.86.234: (root:U:/usr/sbin/cron) denied access to hidden file /etc/crontab by /usr/sbin/cron[cron:2901] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1728] uid/euid:0/0 gid/egid:0/0
[278976.869393] grsec: From 134.61.86.234: (root:U:/usr/sbin/cron) denied access to hidden file /var/spool/cron/crontabs by /usr/sbin/cron[cron:2901] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1728] uid/euid:0/0 gid/egid:0/0
[278975.968128] grsec: From 85.197.21.96: (root:U:/usr/lib/postfix/master) denied access to hidden file /var/spool/postfix/public/pickup by /usr/lib/postfix/master[master:10792] uid/euid:0/102 gid/egid:0/104, parent /sbin/init[init:1887] uid/euid:0/0 gid/egid:0/0
[278963.969907] grsec: From 85.197.21.96: (root:U:/usr/lib/postfix/master) denied access to hidden file /usr/lib/postfix/smtpd by /usr/lib/postfix/master[master:11050] uid/euid:0/0 gid/egid:0/0, parent /usr/lib/postfix/master[master:10792] uid/euid:0/0 gid/egid:0/0
[278661.498623] grsec: From 85.197.21.96: (Debian-exim:U:/usr/lib/dovecot/imap-login) denied access to hidden file /var/run/dovecot/login/ssl-parameters.dat by /usr/lib/dovecot/imap-login[imap-login:26569] uid/euid:103/103 gid/egid:106/106, parent /usr/sbin/dovecot[dovecot:3795] uid/euid:0/0 gid/egid:0/0
[278671.779532] grsec: From 134.61.86.234: (root:U:/sbin/syslogd) denied access to hidden file /etc/localtime by /sbin/syslogd[syslogd:2818] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1728] uid/euid:0/0 gid/egid:0/0
I'm having an lxc - grsec setup (4 lxc containers running on a grsec enabled host system). After being for 2 days in full learn mode I've tried to generate the policy for gradm.
This was successfull, however when I checked the policy with gradm -C, gradm spits out several errors:
Duplicate subject found for "/usr/bin/lockfile-remove" in role root, on line 751 of /etc/grsec/policy.
"/usr/bin/lockfile-remove" references the same object as "/usr/bin/lockfile-create" specified on an earlier line.
The RBAC system will not load until this error is fixed.
In order to fix this error I removed the subject entries for lockfile-remote and lockfile-touch which spits out just the same error.
Afterwards I get the notification that /dev/ is not hidden for the user "man", after fixing this gradm -C doesn yell around anymore.
But after loading the policy with gradm -E dmesg outputs a LOT of denied access to quite common files, which are (in my eyes) readable according to the policy:
All system services (httpd, smtpd, ejabberd, imapd, etc.) stop to work immidately, ssh is running without problems.
Is this kind of behaviour normal for RBAC? I supposed the full learning mode to generate a working copy so that the daemons which were running during the learning phase can run without problems when the policy is activated. If anybody has a clue what is going on here, it would be nice to get a hint.
Thanks in advance
ps: I can of course provide the complete policy and learning.log file if necessary
Here are some of the dmesg entries, just for reference:
[279227.044125] grsec: From 134.61.86.234: (root:U:/sbin/klogd) denied access to hidden file /etc/localtime by /sbin/klogd[klogd:2990] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1728] uid/euid:0/0 gid/egid:0/0
[278976.869691] grsec: From 134.61.86.234: (root:U:/usr/sbin/cron) denied access to hidden file /etc/crontab by /usr/sbin/cron[cron:2901] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1728] uid/euid:0/0 gid/egid:0/0
[278976.869393] grsec: From 134.61.86.234: (root:U:/usr/sbin/cron) denied access to hidden file /var/spool/cron/crontabs by /usr/sbin/cron[cron:2901] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1728] uid/euid:0/0 gid/egid:0/0
[278975.968128] grsec: From 85.197.21.96: (root:U:/usr/lib/postfix/master) denied access to hidden file /var/spool/postfix/public/pickup by /usr/lib/postfix/master[master:10792] uid/euid:0/102 gid/egid:0/104, parent /sbin/init[init:1887] uid/euid:0/0 gid/egid:0/0
[278963.969907] grsec: From 85.197.21.96: (root:U:/usr/lib/postfix/master) denied access to hidden file /usr/lib/postfix/smtpd by /usr/lib/postfix/master[master:11050] uid/euid:0/0 gid/egid:0/0, parent /usr/lib/postfix/master[master:10792] uid/euid:0/0 gid/egid:0/0
[278661.498623] grsec: From 85.197.21.96: (Debian-exim:U:/usr/lib/dovecot/imap-login) denied access to hidden file /var/run/dovecot/login/ssl-parameters.dat by /usr/lib/dovecot/imap-login[imap-login:26569] uid/euid:103/103 gid/egid:106/106, parent /usr/sbin/dovecot[dovecot:3795] uid/euid:0/0 gid/egid:0/0
[278671.779532] grsec: From 134.61.86.234: (root:U:/sbin/syslogd) denied access to hidden file /etc/localtime by /sbin/syslogd[syslogd:2818] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1728] uid/euid:0/0 gid/egid:0/0