Page 1 of 1

RBAC Denies - Help with Policy Please

PostPosted: Tue Jan 20, 2015 4:00 pm
by tjh
I like to think I've got a fairly good handle on the RBAC and how it works, policies, inheritance etc.
But there's two issues (basically the same issue twice) that I can't figure out how to fix.

I get the following in my logs every morning when cron runs:
Code: Select all
grsec: From X.X.X.X: (man:U:/) denied access to hidden file /bin/dash by /sbin/start-stop-daemon[start-stop-daem:17759] uid/euid:6/6 gid/egid:12/12, parent /etc/cron.daily/man-db[man-db:17751] uid/euid:0/0 gid/egid:0/0
grsec: From X.X.X.X: (debian-spamd:U:/) denied access to hidden file /bin/dash by /bin/su[su:19064] uid/euid:117/117 gid/egid:119/119, parent /bin/su[su:19057] uid/euid:0/0 gid/egid:119/119
grsec: From X.X.X.X: (debian-spamd:U:/) denied access to hidden file /bin/dash by /bin/su[su:19064] uid/euid:117/117 gid/egid:119/119, parent /bin/su[su:19057] uid/euid:0/0 gid/egid:119/119
grsec: From X.X.X.X: (debian-spamd:U:/) denied access to hidden file /etc/locale.alias by /bin/su[su:19064] uid/euid:117/117 gid/egid:119/119, parent /bin/su[su:19057] uid/euid:0/0 gid/egid:119/119


This is my current role (in its entirety) for the man role:
Code: Select all
role man u
# Role: man
subject /  {
        /                               h
        -CAP_ALL
        bind    disabled
        connect disabled
}

subject /bin/dash ol {
        /                               h
        -CAP_ALL
        bind    disabled
        connect disabled
}

# Role: man
subject /etc/cron.daily o {
        /
        /bin                            h
        /bin/dash                       xi
        /boot                           h
        /dev/grsec                      h
        /dev/kmem                       h
        /dev/log                        h
        /dev/mem                        h
        /dev/port                       h
        /etc                            h
        /etc/ld.so.cache                r
        /etc/locale.alias               r
        /etc/manpath.config             r
        /etc/nsswitch.conf              r
        /etc/passwd                     r
        /lib                            rxi
        /lib/modules                    h
        /lib64/modules                  h
        /proc                           h
        /proc/meminfo                   r
        /sys                            h
        /usr
        /usr/bin                        h
        /usr/bin/find                   xi
        /usr/bin/mandb                  xi
        /usr/bin/xargs                  xi
        /sbin/start-stop-daemon         xi
        /usr/lib                        rxi
        /usr/local
        /usr/local/share
        /usr/local/share/man
        /usr/src                        h
        /var                            h
        /var/cache/man                  rwcd
        -CAP_ALL
        +PAX_MPROTECT
        +PAX_PAGEEXEC
        +PAX_RANDMMAP
        RES_CRASH 1 30m
        bind    disabled
        connect disabled
}


Why can't start-stop-daemon see /bin/dash? The subject should catch /etc/cron.daily/man-db. Within the subject, execute (with inheritance) is allowed for start-stop-daemon, which means that the same subject should be used for executing /bin/dash (which is allowed with execute)

You can see I even tried setting up learning for /bin/dash but still this error was generated.

Similar for the debian-spamd user (again the role in its entirety):
Code: Select all
role debian-spamd u
# Role: debian-spamd
subject /  {
        /                               h
        -CAP_ALL
        bind    disabled
        connect disabled
}

subject /bin/dash ol {
        /                               h
        -CAP_ALL
        bind    disabled
        connect disabled
}

# Role: debian-spamd
subject /etc/cron.daily o {
        /
        /bin
        /bin/dash                       xi
        /boot                           h
        /dev                            h
        /dev/urandom                    r
        /etc                            r
        /etc/grsec                      h
        /etc/gshadow                    h
        /etc/gshadow-                   h
        /etc/ppp                        h
        /etc/samba/smbpasswd            h
        /etc/shadow-                    h
        /etc/ssh                        h
        /lib                            rxi
        /lib/modules                    h
        /lib64/modules                  h
        /proc
        /proc/bus                       h
        /proc/kallsyms                  h
        /proc/kcore                     h
        /proc/modules                   h
        /proc/slabinfo                  h
        /proc/sys                       h
        /run                            h
        /run/resolvconf/resolv.conf     r
        /sys                            h
        /tmp                            rwcd
        /usr                            h
        /usr/bin
        /usr/bin/perl                   xi
        /usr/bin/sa-update              rxi
        /usr/games
        /usr/lib                        rxi
        /usr/local                      h
        /usr/local/bin
        /usr/local/games
        /usr/share                      r
        /var                            h
        /var/lib/spamassassin/          rwcda
        -CAP_ALL
        bind    disabled
        connect 127.0.0.1/32:53 dgram udp
        connect 0.0.0.0/32:53 dgram udp
        sock_allow_family ipv6 netlink
}


I can't see how /bin/su is allowed to be executed?

What I think it might be related to is the Root Role and it's /etc/cron.daily subject:
Code: Select all
# Role: root
subject /etc/cron.daily odspkA {
user_transition_allow man debian-spamd
group_transition_allow man debian-spamd

        /
        /bin                            rxi
        /boot
        /boot/grub
        /dev
        /dev/grsec                      h
        /dev/kmem                       h
        /dev/log                        rw
        /dev/mem                        h
        /dev/null                       rw
        /dev/port                       h
        /dev/tty                        rw
        /dev/urandom                    r
        /etc                            rxi
        /etc/gshadow-                   h
        /etc/samba/smbpasswd            h
        /etc/shadow-                    h
        /home
        /lib                            rxi
        /lib/modules                    h
        /lib64/modules                  h
        /proc                           r
        /proc/bus                       h
        /proc/kallsyms                  h
        /proc/kcore                     h
        /proc/modules                   h
        /proc/slabinfo                  h
        /run
        /run/dbus/system_bus_socket     rw
        /run/mysqld/mysqld.sock         rw
        /run/rsyslogd.pid               r
        /run/utmp                       r
        /sbin
        /sbin/runlevel                  xi
        /sbin/start-stop-daemon         xi
        /srv
        /usr
        /usr/bin                        rxi
        /usr/include
        /usr/include/libxml2
        /usr/lib                        rxi
        /usr/sbin                       rxi
        /usr/share                      r
        /var
        /var/backups                    rwcd
        /var/cache                      w
        /var/cache/apache2
        /var/cache/apt                  w
        /var/cache/apt/archives
        /var/cache/apt/pkgcache.bin*    rwcd
        /var/cache/apt/srcpkgcache.bin  r
        /var/cache/man
        /var/lib                        r
        /var/lib/dpkg                   rw
        /var/lib/ghostscript
        /var/lib/imapproxy
        /var/lib/logrotate
        /var/lib/logrotate/status       rw
        /var/lib/mlocate
        /var/lib/mlocate/daily.lock     wcd
        /var/lib/mlocate/mlocate.db*    rwcd
        /var/lib/mysql
        /var/lib/prosody
        /var/lib/spamassassin
        /var/lib/tex-common
        /var/lib/ucf
        /var/lib/vim
        /var/log                        rwcdl
        -CAP_ALL
        +CAP_CHOWN
        +CAP_DAC_OVERRIDE
        +CAP_DAC_READ_SEARCH
        +CAP_FOWNER
        +CAP_FSETID
        +CAP_SETGID
        +CAP_SETUID
        +CAP_SYS_PACCT
        bind    disabled
        connect disabled
}


Is it related to the user_transition_allow statements?

Can someone help me with the policy changes I need to get these cron tasks to run without error?

Many thanks!

Tim

Re: RBAC Denies - Help with Policy Please

PostPosted: Tue Jan 20, 2015 9:49 pm
by spender
When a transition to another role happens, the subject resolved in that other role won't respect inheritance -- it'll be resolved as a normal subject lookup. I may change this so that we first check if there exists a subject in the other role with the same name as the current role and also verify that it contains the same relevant object causing inheritance for the current binary. I'll let you know when I have something to test.

Thanks,
-Brad

Re: RBAC Denies - Help with Policy Please

PostPosted: Tue Jan 20, 2015 11:11 pm
by tjh
Thanks Brad.

So as a fix for myself in the meantime, I should create subjects for

/bin/su (for debian-spamd)
/sbin/start-stop-daemon (for man)

Is that the correct thing to do?

Re: RBAC Denies - Help with Policy Please

PostPosted: Thu Jan 22, 2015 8:25 pm
by spender
Hi,

Can you try https://grsecurity.net/~spender/inherit.diff ?

In the other role, you'll need a subject of the same name which has an object matching the path of the process' associated binary. So for instance, if the binary is /bin/sh which has inherited an /etc/cron.daily subject, then in the other role you'd need at least:
subject /etc/cron.daily o
/ h
/bin/sh xi

-Brad

Re: RBAC Denies - Help with Policy Please

PostPosted: Sun Jan 25, 2015 5:25 pm
by tjh
Thanks Brad.

I've booted up a patched kernel and will report back in ~24 hours.

Re: RBAC Denies - Help with Policy Please

PostPosted: Tue Jan 27, 2015 7:15 pm
by tjh
So the patch certainly fixed the man issue. I have a /sbin/start-stop-daemon in my cron.daily for man as well. So that worked!

But not for the spamd issue. The bigger issue there appears to be that the subject appears to be /bin/su - not /etc/cron.daily (Which is actually where it's really being triggered from)

I think I should be able to write a matching /bin/su for spamd though.

Will this patch be included in future patches?