RBAC Denies - Help with Policy Please
Posted: Tue Jan 20, 2015 4:00 pm
I like to think I've got a fairly good handle on the RBAC and how it works, policies, inheritance etc.
But there's two issues (basically the same issue twice) that I can't figure out how to fix.
I get the following in my logs every morning when cron runs:
This is my current role (in its entirety) for the man role:
Why can't start-stop-daemon see /bin/dash? The subject should catch /etc/cron.daily/man-db. Within the subject, execute (with inheritance) is allowed for start-stop-daemon, which means that the same subject should be used for executing /bin/dash (which is allowed with execute)
You can see I even tried setting up learning for /bin/dash but still this error was generated.
Similar for the debian-spamd user (again the role in its entirety):
I can't see how /bin/su is allowed to be executed?
What I think it might be related to is the Root Role and it's /etc/cron.daily subject:
Is it related to the user_transition_allow statements?
Can someone help me with the policy changes I need to get these cron tasks to run without error?
Many thanks!
Tim
But there's two issues (basically the same issue twice) that I can't figure out how to fix.
I get the following in my logs every morning when cron runs:
- Code: Select all
grsec: From X.X.X.X: (man:U:/) denied access to hidden file /bin/dash by /sbin/start-stop-daemon[start-stop-daem:17759] uid/euid:6/6 gid/egid:12/12, parent /etc/cron.daily/man-db[man-db:17751] uid/euid:0/0 gid/egid:0/0
grsec: From X.X.X.X: (debian-spamd:U:/) denied access to hidden file /bin/dash by /bin/su[su:19064] uid/euid:117/117 gid/egid:119/119, parent /bin/su[su:19057] uid/euid:0/0 gid/egid:119/119
grsec: From X.X.X.X: (debian-spamd:U:/) denied access to hidden file /bin/dash by /bin/su[su:19064] uid/euid:117/117 gid/egid:119/119, parent /bin/su[su:19057] uid/euid:0/0 gid/egid:119/119
grsec: From X.X.X.X: (debian-spamd:U:/) denied access to hidden file /etc/locale.alias by /bin/su[su:19064] uid/euid:117/117 gid/egid:119/119, parent /bin/su[su:19057] uid/euid:0/0 gid/egid:119/119
This is my current role (in its entirety) for the man role:
- Code: Select all
role man u
# Role: man
subject / {
/ h
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/dash ol {
/ h
-CAP_ALL
bind disabled
connect disabled
}
# Role: man
subject /etc/cron.daily o {
/
/bin h
/bin/dash xi
/boot h
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/port h
/etc h
/etc/ld.so.cache r
/etc/locale.alias r
/etc/manpath.config r
/etc/nsswitch.conf r
/etc/passwd r
/lib rxi
/lib/modules h
/lib64/modules h
/proc h
/proc/meminfo r
/sys h
/usr
/usr/bin h
/usr/bin/find xi
/usr/bin/mandb xi
/usr/bin/xargs xi
/sbin/start-stop-daemon xi
/usr/lib rxi
/usr/local
/usr/local/share
/usr/local/share/man
/usr/src h
/var h
/var/cache/man rwcd
-CAP_ALL
+PAX_MPROTECT
+PAX_PAGEEXEC
+PAX_RANDMMAP
RES_CRASH 1 30m
bind disabled
connect disabled
}
Why can't start-stop-daemon see /bin/dash? The subject should catch /etc/cron.daily/man-db. Within the subject, execute (with inheritance) is allowed for start-stop-daemon, which means that the same subject should be used for executing /bin/dash (which is allowed with execute)
You can see I even tried setting up learning for /bin/dash but still this error was generated.
Similar for the debian-spamd user (again the role in its entirety):
- Code: Select all
role debian-spamd u
# Role: debian-spamd
subject / {
/ h
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/dash ol {
/ h
-CAP_ALL
bind disabled
connect disabled
}
# Role: debian-spamd
subject /etc/cron.daily o {
/
/bin
/bin/dash xi
/boot h
/dev h
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow- h
/etc/ssh h
/lib rxi
/lib/modules h
/lib64/modules h
/proc
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/run h
/run/resolvconf/resolv.conf r
/sys h
/tmp rwcd
/usr h
/usr/bin
/usr/bin/perl xi
/usr/bin/sa-update rxi
/usr/games
/usr/lib rxi
/usr/local h
/usr/local/bin
/usr/local/games
/usr/share r
/var h
/var/lib/spamassassin/ rwcda
-CAP_ALL
bind disabled
connect 127.0.0.1/32:53 dgram udp
connect 0.0.0.0/32:53 dgram udp
sock_allow_family ipv6 netlink
}
I can't see how /bin/su is allowed to be executed?
What I think it might be related to is the Root Role and it's /etc/cron.daily subject:
- Code: Select all
# Role: root
subject /etc/cron.daily odspkA {
user_transition_allow man debian-spamd
group_transition_allow man debian-spamd
/
/bin rxi
/boot
/boot/grub
/dev
/dev/grsec h
/dev/kmem h
/dev/log rw
/dev/mem h
/dev/null rw
/dev/port h
/dev/tty rw
/dev/urandom r
/etc rxi
/etc/gshadow- h
/etc/samba/smbpasswd h
/etc/shadow- h
/home
/lib rxi
/lib/modules h
/lib64/modules h
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/run
/run/dbus/system_bus_socket rw
/run/mysqld/mysqld.sock rw
/run/rsyslogd.pid r
/run/utmp r
/sbin
/sbin/runlevel xi
/sbin/start-stop-daemon xi
/srv
/usr
/usr/bin rxi
/usr/include
/usr/include/libxml2
/usr/lib rxi
/usr/sbin rxi
/usr/share r
/var
/var/backups rwcd
/var/cache w
/var/cache/apache2
/var/cache/apt w
/var/cache/apt/archives
/var/cache/apt/pkgcache.bin* rwcd
/var/cache/apt/srcpkgcache.bin r
/var/cache/man
/var/lib r
/var/lib/dpkg rw
/var/lib/ghostscript
/var/lib/imapproxy
/var/lib/logrotate
/var/lib/logrotate/status rw
/var/lib/mlocate
/var/lib/mlocate/daily.lock wcd
/var/lib/mlocate/mlocate.db* rwcd
/var/lib/mysql
/var/lib/prosody
/var/lib/spamassassin
/var/lib/tex-common
/var/lib/ucf
/var/lib/vim
/var/log rwcdl
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_FOWNER
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_PACCT
bind disabled
connect disabled
}
Is it related to the user_transition_allow statements?
Can someone help me with the policy changes I need to get these cron tasks to run without error?
Many thanks!
Tim