grsecurity forums

I've downloaded gradm-2.2.2-201111011031 and started getting following warnings which I do not understand - it worked without warnings in previous 2.2.2 version (which I think was gradm-2.2.2-201109281554):

Code: Select all

Warning: object does not exist in role :::kernel:::, subject /usr/bin/updatedb for the target of the symlink object /usr/bin/updatedb specified on line 1370 of /etc/grsec/policy
Warning: object does not exist in role :::kernel:::, subject /usr/sbin/a2ensite for the target of the symlink object /usr/sbin/a2ensite specified on line 1370 of /etc/grsec/policy.
Warning: object does not exist in role virtual, subject / for the target of the symlink object /usr/sbin/sendmail specified on line 1017 of /etc/grsec/policy.
Warning: object does not exist in role default, subject / for the target of the symlink object /dev/cdrom specified on line 204 of /etc/grsec/policy.


If I look in the policy, for "::kernel::" warning, line 1370 is last line in the file (which also happens to be empty)! For others, it is always an object which happens to be symlink:

Code: Select all

role default G
subject /
    /               r
    /dev
    [...]
    /dev/fd0 r
    /dev/cdrom      r
    /dev/mem h
    [...]


"/dev/cdrom r" is on line 204 that gradm complains above.

on disk it looks like this:

Code: Select all

# ls -l /usr/bin/updatedb
lrwxrwxrwx 1 root root 26 Jun  5  2009 /usr/bin/updatedb -> /etc/alternatives/updatedb
# ls -l /etc/alternatives/updatedb
lrwxrwxrwx 1 root root 25 Aug 19 19:17 /etc/alternatives/updatedb -> /usr/bin/updatedb.mlocate
# ls -l /usr/bin/updatedb.mlocate
-rwxr-xr-x 1 root root 36736 Oct 28  2008 /usr/bin/updatedb.mlocate

# ls -l /dev/cdrom
lrwxrwxrwx 1 root root 3 Jan 23  2009 /dev/cdrom -> hdd
# ls -l /dev/hdd 
brw-rw---- 1 root disk 22, 64 Mar 14  2002 /dev/hdd


any idea what changed and what I need to fix (or if that is a new bug in gradm) ?
Thanks

Can you list for me all the places that that updatedb path appears in your policy? Since a recent gradm, we no longer auto-add objects for the targets of symlinks -- you should add an object for the target manually.

-Brad

updatedb is mentioned only under role default, at line 422:

Code: Select all

subject /usr/bin/updatedb
        /dev/log rw
        /lib/modules r
        /boot   r


So I should replace that with "subject /usr/bin/updatedb.mlocate" instead, correct? Or must I now have subjects for both "/usr/bin/updatedb" (that the cron script runs) and "/usr/bin/updatedb.mlocate" (and maybe even "/etc/alternatives/updatedb")?

Also, what about udev auto-generated stuff like /dev/cdrom -> /dev/hdd? Those may change names between reboots (not this specific one, as it is currently PATA which will probably stay the same name; but it probably will be SATA in the future which would easily do such things). Should I just allow /dev/[sh]d* in grsec MAC and rely only on udev setting DAC?

The error had to do with the auto-adding of objects for subjects with symlinked paths. It should be resolved in the latest gradm in CVS.

A diff is available here:
http://cvsweb.grsecurity.net/index.cgi/ ... 22;r2=1.23

-Brad

I've applied the diff, and :::kernel::: lines are gone, but I still get warnings like:

Code: Select all

Warning: object does not exist in role virtual, subject / for the target of the symlink object /usr/bin/locate specified on line 998 of /etc/grsec/policy.
Warning: object does not exist in role virtual, subject / for the target of the symlink object /usr/sbin/sendmail specified on line 955 of /etc/grsec/policy.


I'll assume (due to your first reply) that the bug was just related to "role :::kernel:::" lines, and that this "role virtual" warnings are to be expected in newer gradm versions, and that I must always add symlink destinations in policy from now on.

(please let me know if I got that wrong)

Thanks for the fix!
Matija

That's correct. The bug here was that I was auto-adding symlink objects for symlink subjects. Symlinks are no longer automatically followed for objects, so you need to add an object for the target of the symlinks manually.

-Brad