Grsec 2.0rc3 acl's have issues?
Posted: Thu Oct 02, 2003 6:14 pmHi all 
Noticed a few oddities with 2.0rc3, wondering if anyone can help with this:
A) Docs? The acl's from the 1.9 series do not work well on it
B) Appearently you can't include a directory of ACL's anymore,
they all have to be specified now? Why?
C) Inhieritance doesn't appear to work.. unless I am missing something. here is an example:
Default ACL(s)
==========
role admin sA
subject /
/ rwcdmxi
role default G
role_transitions admin
subject /
/ r
/opt rx
/www x
/home rwx
/mnt rw
/dev
/dev/grsec h
/dev/urandom r
/dev/random r
/dev/zero rw
/dev/input rw
/dev/psaux rw
/dev/null rw
/dev/tty? rw
/dev/console rw
/dev/tty rw
/dev/ttyp? rw
/dev/pts rw
/dev/ptmx rw
/dev/dsp rw
/dev/mixer rw
/dev/fd0 r
/dev/cdrom r
/dev/mem h
/dev/kmem h
/dev/port h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/etc/ssh h
/proc rwx
/proc/kcore h
/proc/sys r
/root r
/tmp rw
/var rwx
/var/tmp rw
/var/log r
/var/qmail rx
/var/qmail/queue x
/var/qmail/bin rx
/boot h
/etc/grsec h
/etc/accounts.db
RES_CPU unlimited unlimited
RES_FSIZE unlimited unlimited
RES_DATA unlimited unlimited
RES_STACK unlimited unlimited
RES_CORE unlimited unlimited
RES_RSS unlimited unlimited
RES_NPROC unlimited unlimited
RES_MEMLOCK unlimited unlimited
RES_AS unlimited unlimited
RES_LOCKS unlimited unlimited
-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
-CAP_NET_ADMIN
-CAP_NET_BIND_SERVICE
-CAP_SYS_CHROOT
}
subject /usr/sbin/crond {
/dev/log rw
/var/spool/cron rwx
/var/spool/cron/* rwx
}
** I try the above with / r at the end or beginning, and an o flag and acl's ** wont load
I get this in the log:
Oct 2 16:10:01 ascension kernel: grsec: denied create of /var/spool/cron/cron.root.99 for writing by /usr/sbin/crond[crond:99] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
And with crontab:
subject /usr/bin/crontab {
/var/spool/cron rwxcd
/lib rx
}
and I get this running it:
Oct 2 16:21:48 ascension kernel: grsec: From 207.216.246.118: denied create of /var/spool/cron/crontab.30282 for reading writing by /usr/bin/crontab[crontab:30282] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:28437] uid/euid:0/0 gid/egid:0/0
Can anyone shed some light on this? I think im missing some fundimental understanding of the 2.0 ACL's.. help?
Thanks!
Dale.
Noticed a few oddities with 2.0rc3, wondering if anyone can help with this:
A) Docs?
The acl's from the 1.9 series do not work well on it
B) Appearently you can't include a directory of ACL's anymore,
they all have to be specified now? Why?
C) Inhieritance doesn't appear to work.. unless I am missing something. here is an example:
Default ACL(s)
==========
role admin sA
subject /
/ rwcdmxi
role default G
role_transitions admin
subject /
/ r
/opt rx
/www x
/home rwx
/mnt rw
/dev
/dev/grsec h
/dev/urandom r
/dev/random r
/dev/zero rw
/dev/input rw
/dev/psaux rw
/dev/null rw
/dev/tty? rw
/dev/console rw
/dev/tty rw
/dev/ttyp? rw
/dev/pts rw
/dev/ptmx rw
/dev/dsp rw
/dev/mixer rw
/dev/fd0 r
/dev/cdrom r
/dev/mem h
/dev/kmem h
/dev/port h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/etc/ssh h
/proc rwx
/proc/kcore h
/proc/sys r
/root r
/tmp rw
/var rwx
/var/tmp rw
/var/log r
/var/qmail rx
/var/qmail/queue x
/var/qmail/bin rx
/boot h
/etc/grsec h
/etc/accounts.db
RES_CPU unlimited unlimited
RES_FSIZE unlimited unlimited
RES_DATA unlimited unlimited
RES_STACK unlimited unlimited
RES_CORE unlimited unlimited
RES_RSS unlimited unlimited
RES_NPROC unlimited unlimited
RES_MEMLOCK unlimited unlimited
RES_AS unlimited unlimited
RES_LOCKS unlimited unlimited
-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
-CAP_NET_ADMIN
-CAP_NET_BIND_SERVICE
-CAP_SYS_CHROOT
}
subject /usr/sbin/crond {
/dev/log rw
/var/spool/cron rwx
/var/spool/cron/* rwx
}
** I try the above with / r at the end or beginning, and an o flag and acl's ** wont load
I get this in the log:
Oct 2 16:10:01 ascension kernel: grsec: denied create of /var/spool/cron/cron.root.99 for writing by /usr/sbin/crond[crond:99] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
And with crontab:
subject /usr/bin/crontab {
/var/spool/cron rwxcd
/lib rx
}
and I get this running it:
Oct 2 16:21:48 ascension kernel: grsec: From 207.216.246.118: denied create of /var/spool/cron/crontab.30282 for reading writing by /usr/bin/crontab[crontab:30282] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:28437] uid/euid:0/0 gid/egid:0/0
Can anyone shed some light on this? I think im missing some fundimental understanding of the 2.0 ACL's.. help?
Thanks!
Dale.