grsecurity resets roles related to network mount points
Posted: Sun Sep 11, 2011 3:11 am
A few annoying bugs I found when I tried to use grsecurity with some network mounts:
1. After closing and reopening the mount point all rules related to that network mount are lost. When an application tries to open/read/write file, it gets an error.
For example I have in role:
, with mount point at /mnt/server.
Application fails to write to /mnt/server/dir1 after /mnt/server reconnect/umount and mount again. No entries in logs (usually they appear, when I want to write outside /mnt/server/dir1 in application), messages are displayed only in dmesg.
2. Sometimes I denied completely to mount network shares. I think this is my role misconfiguration, I'll check this. But this happens as described above, without any logs, and second try usually successful.
After gradm -R anything works correctly. But this is annoying, because it breaks any application subject that works with network mounts only. If I enable application to write anywhere (/mnt rwcd), RBAC will be almost useless for me. And reloading rules after every remount or reconnect is annoying thing too.
It is possible to fix this? Or this is regular behavior with network/other (temporary) mounts?
If that helps: I use sshfs, I mount sshfs before enabling RBAC, I mount sshfs with allow_root option.
Big Thanks.
1. After closing and reopening the mount point all rules related to that network mount are lost. When an application tries to open/read/write file, it gets an error.
For example I have in role:
- Code: Select all
/mnt # (none)
/mnt/server/dir1 rwcd
, with mount point at /mnt/server.
Application fails to write to /mnt/server/dir1 after /mnt/server reconnect/umount and mount again. No entries in logs (usually they appear, when I want to write outside /mnt/server/dir1 in application), messages are displayed only in dmesg.
2. Sometimes I denied completely to mount network shares. I think this is my role misconfiguration, I'll check this. But this happens as described above, without any logs, and second try usually successful.
After gradm -R anything works correctly. But this is annoying, because it breaks any application subject that works with network mounts only. If I enable application to write anywhere (/mnt rwcd), RBAC will be almost useless for me. And reloading rules after every remount or reconnect is annoying thing too.
It is possible to fix this? Or this is regular behavior with network/other (temporary) mounts?
If that helps: I use sshfs, I mount sshfs before enabling RBAC, I mount sshfs with allow_root option.
Big Thanks.