problem wiath a sysmlink warning
Posted: Sun Dec 28, 2014 7:10 pm
Hi;
I'm new so I'm sure this is just something I'm overlooking. (yes, I tried to google for it)
I get the following with gradm -C
Warning: permission for symlink /var/run in role root, subject /sbin/service does not match that of its matching target object /. Symlink is specified on line 173 of /etc/grsec/policy.
I'm not sure what is causing it and could use some help. Relevant parts of my policy is listed belowL
###############################################################
role root uG
###############################################################
role_allow_ip 0.0.0.0/32
role_allow_ip 127.0.0.1
role_transitions admin
subject / b {
# Default read/exec
/ rx
# read/exec for /bin
/bin rx
# /boot off-limits
/boot
# read only for /dev
/dev
# Safe stuff to read
/dev/random r
/dev/urandom r
# Read-only for /var
/var r
# Stuff that needs to be writable in /dev
/dev/null rw
/dev/tty rw
# Stuff to hide in /dev
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
# read only for /etc
/etc r
# Exec'able stuff in /etc
/etc/ld.so.cache rx
# /etc/grsec must be hidden
/etc/grsec hs
/etc/shadow* hs
/etc/ssh h
# Can see into /home
/home
/home/* h
# read/exec for /lib
/lib rx
# read/exec for /opt/etc
/opt rx
# Hide /proc/kcore
/proc/kcore h
# Make /root cd-able, but only allow read access to .bash* files
/root
/root/.bash* r
# Allow append for history file
/root/.bash_history car
/root/profile rwcd
# read/exec for /sbin
/sbin rx
# Tmp
/tmp rwcd
# Tmp
/var/tmp rwcd
# read/exec for /usr
/usr rx
# read/exec for /usr/local
/usr/local rx
# sshd must be started by admin
/usr/sbin/sshd
# Allow read and append for /var/log
/var/log ra
# Crontabs are read-only too
/var/spool/cron r
#stuff to hide
/proc/kallsyms h
/lib/modules h
/proc/modules h
/proc/slabinfo h
/sys h
# Remove lots of capabilities
-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
-CAP_NET_ADMIN
-CAP_NET_BIND_SERVICE
-CAP_SYS_CHROOT
-CAP_SYS_BOOT
-CAP_SETFCAP
-CAP_SYSLOG
# Disallow bind'ing or connect'ing
bind disabled
connect disabled
connect 0.0.0.0/0:53 dgram udp
connect ! 0.0.0.0/0:0 dgram udp
connect ! 0.0.0.0/0:1-65535 dgram udp
connect ! 0.0.0.0/0:1-65535 stream tcp
}
# start-stop-daemon
subject /sbin/service {
# Pid dir
/var/run rwcd
+CAP_SYS_PTRACE
bind disabled
connect disabled
}
I'm new so I'm sure this is just something I'm overlooking. (yes, I tried to google for it)
I get the following with gradm -C
Warning: permission for symlink /var/run in role root, subject /sbin/service does not match that of its matching target object /. Symlink is specified on line 173 of /etc/grsec/policy.
I'm not sure what is causing it and could use some help. Relevant parts of my policy is listed belowL
###############################################################
role root uG
###############################################################
role_allow_ip 0.0.0.0/32
role_allow_ip 127.0.0.1
role_transitions admin
subject / b {
# Default read/exec
/ rx
# read/exec for /bin
/bin rx
# /boot off-limits
/boot
# read only for /dev
/dev
# Safe stuff to read
/dev/random r
/dev/urandom r
# Read-only for /var
/var r
# Stuff that needs to be writable in /dev
/dev/null rw
/dev/tty rw
# Stuff to hide in /dev
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
# read only for /etc
/etc r
# Exec'able stuff in /etc
/etc/ld.so.cache rx
# /etc/grsec must be hidden
/etc/grsec hs
/etc/shadow* hs
/etc/ssh h
# Can see into /home
/home
/home/* h
# read/exec for /lib
/lib rx
# read/exec for /opt/etc
/opt rx
# Hide /proc/kcore
/proc/kcore h
# Make /root cd-able, but only allow read access to .bash* files
/root
/root/.bash* r
# Allow append for history file
/root/.bash_history car
/root/profile rwcd
# read/exec for /sbin
/sbin rx
# Tmp
/tmp rwcd
# Tmp
/var/tmp rwcd
# read/exec for /usr
/usr rx
# read/exec for /usr/local
/usr/local rx
# sshd must be started by admin
/usr/sbin/sshd
# Allow read and append for /var/log
/var/log ra
# Crontabs are read-only too
/var/spool/cron r
#stuff to hide
/proc/kallsyms h
/lib/modules h
/proc/modules h
/proc/slabinfo h
/sys h
# Remove lots of capabilities
-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
-CAP_NET_ADMIN
-CAP_NET_BIND_SERVICE
-CAP_SYS_CHROOT
-CAP_SYS_BOOT
-CAP_SETFCAP
-CAP_SYSLOG
# Disallow bind'ing or connect'ing
bind disabled
connect disabled
connect 0.0.0.0/0:53 dgram udp
connect ! 0.0.0.0/0:0 dgram udp
connect ! 0.0.0.0/0:1-65535 dgram udp
connect ! 0.0.0.0/0:1-65535 stream tcp
}
# start-stop-daemon
subject /sbin/service {
# Pid dir
/var/run rwcd
+CAP_SYS_PTRACE
bind disabled
connect disabled
}