Page 1 of 1

problem wiath a sysmlink warning

PostPosted: Sun Dec 28, 2014 7:10 pm
by jim
Hi;
I'm new so I'm sure this is just something I'm overlooking. (yes, I tried to google for it)

I get the following with gradm -C

Warning: permission for symlink /var/run in role root, subject /sbin/service does not match that of its matching target object /. Symlink is specified on line 173 of /etc/grsec/policy.

I'm not sure what is causing it and could use some help. Relevant parts of my policy is listed belowL


###############################################################
role root uG
###############################################################
role_allow_ip 0.0.0.0/32
role_allow_ip 127.0.0.1
role_transitions admin

subject / b {
# Default read/exec
/ rx

# read/exec for /bin
/bin rx

# /boot off-limits
/boot

# read only for /dev
/dev

# Safe stuff to read
/dev/random r
/dev/urandom r

# Read-only for /var
/var r

# Stuff that needs to be writable in /dev
/dev/null rw
/dev/tty rw

# Stuff to hide in /dev
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h

# read only for /etc
/etc r

# Exec'able stuff in /etc
/etc/ld.so.cache rx

# /etc/grsec must be hidden
/etc/grsec hs
/etc/shadow* hs
/etc/ssh h

# Can see into /home
/home
/home/* h

# read/exec for /lib
/lib rx

# read/exec for /opt/etc
/opt rx

# Hide /proc/kcore
/proc/kcore h

# Make /root cd-able, but only allow read access to .bash* files
/root
/root/.bash* r

# Allow append for history file
/root/.bash_history car

/root/profile rwcd

# read/exec for /sbin
/sbin rx

# Tmp
/tmp rwcd

# Tmp
/var/tmp rwcd

# read/exec for /usr
/usr rx

# read/exec for /usr/local
/usr/local rx

# sshd must be started by admin
/usr/sbin/sshd


# Allow read and append for /var/log
/var/log ra

# Crontabs are read-only too
/var/spool/cron r

#stuff to hide
/proc/kallsyms h
/lib/modules h
/proc/modules h
/proc/slabinfo h
/sys h


# Remove lots of capabilities
-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
-CAP_NET_ADMIN
-CAP_NET_BIND_SERVICE
-CAP_SYS_CHROOT
-CAP_SYS_BOOT
-CAP_SETFCAP
-CAP_SYSLOG

# Disallow bind'ing or connect'ing
bind disabled
connect disabled
connect 0.0.0.0/0:53 dgram udp
connect ! 0.0.0.0/0:0 dgram udp
connect ! 0.0.0.0/0:1-65535 dgram udp
connect ! 0.0.0.0/0:1-65535 stream tcp

}



# start-stop-daemon
subject /sbin/service {
# Pid dir
/var/run rwcd

+CAP_SYS_PTRACE

bind disabled
connect disabled
}

Re: problem wiath a sysmlink warning

PostPosted: Sun Dec 28, 2014 7:49 pm
by spender
Hi Jim,

Most likely, as /var/run is a symlink (probably to /run) you'll want to add a "/run rwcd" line to the /sbin/service subject.

-Brad

Re: problem wiath a sysmlink warning

PostPosted: Sun Dec 28, 2014 8:59 pm
by jim
yup.. that was it.. thanks again