grsecurity forums

Hi.

I have grsecurity running on a slackware 8 machine, and I'm trying to get my ACLs setup. I can enable ACLs just fine, however after that I'm unable to run gradm. According to strace, it's segfaulting on the execve() of /sbin/gradm. I get the following message in syslog:

attempt to mmap 66355 2049 executableby (gradm:8254) UID(0) EUID(0), parent (bash:214) UID(0) EUID(0)
attempt to mmap 66422 2049 executableby (gradm:8254) UID(0) EUID(0), parent (bash:214) UID(0) EUID(0)

However, I can run a copy of gradm I copy to /var.

root@darkstar:/etc/grsec# cp /sbin/gradm /var
root@darkstar:/etc/grsec# /var/gradm -D
Password: shutdown auth success for (gradm:8259) UID(0) EUID(0), parent (bash:214) UID(0) EUID(0)

I have tried it with pax on and off, and with the following in proc.acl:

/sbin/gradm {
/ rwx
/etc/ld.so.cache r
/etc/ld.so.preload r
/lib/libc.so.6 r
/proc/sys/kernel/grsecurity/acl w
}

My file.acl:
/ rwx
/etc r
/etc/rc.d rx
/etc/passwd r
/etc/shadow r
/etc/ld.so.cache rx
/etc/lilo.conf h
/var/log/wtmp rw
/var/log ar
/tmp rw
/etc/grsec hr
/boot r
/lib rx
/usr r
/usr/bin rx
/usr/sbin rx
/usr/lib rx
/usr/local/bin rx
/bin rx
/sbin rx
/dev r
/dev/null rw
/dev/tty rw
/dev/zero rw

Anyone have any ideas?

If I'm reading your ACL set right.. your file ACL set hides /etc/grsec.

Wouldn't the process ACL for gradm need to override that?
Just because you have / rwx in the process ACL won't mean it gets around the file ACL.

Try

/etc/grsec wro

To override write-read in the process ACL for gradm.

(Just guessing.. no ACLs here)

Technion wrote:If I'm reading your ACL set right.. your file ACL set hides /etc/grsec.

Wouldn't the process ACL for gradm need to override that?
Just because you have / rwx in the process ACL won't mean it gets around the file ACL.

I don't think so. As near as I can tell, gradm talks to /proc/sys/kernel/grsecurity/acl, and never needs to touch /etc/grsec. Just as a test, I added '/ orwx' to gradm's entry, and got the same behavior. It doesn't seem to be related to file acl's.

zwhite wrote:I have grsecurity running on a slackware 8 machine, and I'm trying to get my ACLs setup. I can enable ACLs just fine, however after that I'm unable to run gradm. According to strace, it's segfaulting on the execve() of /sbin/gradm. I get the following message in syslog:

attempt to mmap 66355 2049 executableby (gradm:8254) UID(0) EUID(0), parent (bash:214) UID(0) EUID(0)
attempt to mmap 66422 2049 executableby (gradm:8254) UID(0) EUID(0), parent (bash:214) UID(0) EUID(0)

I have tried it with pax on and off, and with the following in proc.acl:

these messages came from the ACL system, not PaX and mean that your program ACL was incorrect.

zwhite wrote:/sbin/gradm {
/ rwx
/etc/ld.so.cache r
/etc/ld.so.preload r
/lib/libc.so.6 r
/proc/sys/kernel/grsecurity/acl w
}

read http://grsecurity.net/forums/viewtopic.php?t=44 for this problem. basically, your program ACL needs to allow execution access to the program file itself - it is not automatically assumed (at least in 1.9.4).

PaX Team wrote:these messages came from the ACL system, not PaX ;-) and mean that your program ACL was incorrect.

zwhite wrote:/sbin/gradm {
/ rwx
/etc/ld.so.cache r
/etc/ld.so.preload r
/lib/libc.so.6 r
/proc/sys/kernel/grsecurity/acl w
}

read http://grsecurity.net/forums/viewtopic.php?t=44 for this problem. basically, your program ACL needs to allow execution access to the program file itself - it is not automatically assumed (at least in 1.9.4).

Yeah, you're right. For some reason 'gradm -R' isn't reloading my acls. I again removed /sbin/gradm from proc.acl, rebooted, and I'm now able to use gradm. Annoying, and since it's a semi-production machine I can't really go around rebooting it every 5 minutes. This weekend I'll try the latest CVS version, and see if I still have the same problem.

For gradm you must give gradm 'rx' access it itself.
This is an odd caveat, and I believe it was addressed in
the current acl documentation. It will not be required for
1.9.5 (it will be added implicity by the new gradm).
So for example
/bin/foo {
/etc/foo.conf r
/lib/foo_lib rxi
/lib/lib.so.6 rxi
/lib/linux.so6 rxi
/bin/foo rx
/etc/ld.so.conf r
}

^--would be a working acl. Hope I helped

Michael