Problem with RBAC learning starting at boot time

Submit your RBAC policies or suggest policy improvements

Problem with RBAC learning starting at boot time

Postby countermode » Thu Oct 09, 2014 5:46 pm

Hello, I have a similar issue like this one http://forums.grsecurity.net/viewtopic.php?f=5&t=4056#p14499.

I want to start RBAC at boot time. Thus I started learning at boot time. I noticed that the default learn_config says
Code: Select all
inherit-learn /etc/init.d
which will assign all permissions for every system service ever started from /etc/init.d to /etc/init.d. Bad idea. So I disabled this directive which got me almost what I wanted. In order to refine the rule set I tried to enable partial learning at boot time (/sbin/gradm -E -L ...). RBAC is started after the general system setup (mounting disks, starting udev etc.) but before any services (cron, syslog, sshd etc). However...

Code: Select all
# gradm -D
<correct password>
Invalid password.
# gradm -a admin
<correct password>
Invalid password
# gradm -S
The /dev/grsec device is not properly installed on your system or you are not using a grsecurity kernel.


Brad, what's going on here?
countermode
 
Posts: 27
Joined: Mon Sep 16, 2013 6:59 pm

Re: Problem with RBAC learning starting at boot time

Postby spender » Thu Oct 09, 2014 6:13 pm

Did you perform it as root, and did the root role have the "G" flag?

Did you also ensure that there was no subject created for bash (there shouldn't be if you didn't perform administrative actions as root)?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Problem with RBAC learning starting at boot time

Postby countermode » Thu Oct 09, 2014 7:41 pm

Did you perform it as root

yes
, and did the root role have the "G" flag?

yes:
Code: Select all
role root uG
role_transitions admin shutdown
subject /  {
...

and /dev/grsec is hidden
Did you also ensure that there was no subject created for bash (there shouldn't be if you didn't perform administrative actions as root)?

There's no subject for bash, just for /, some services, and some commands that were called from a script.
countermode
 
Posts: 27
Joined: Mon Sep 16, 2013 6:59 pm

Re: Problem with RBAC learning starting at boot time

Postby spender » Thu Oct 09, 2014 7:50 pm

Do you have any of the kernel logs showing the attempts to use gradm?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Problem with RBAC learning starting at boot time

Postby countermode » Sun Oct 12, 2014 7:41 pm

Hallo Brad, sorry for answering so late.

Do you have any of the kernel logs showing the attempts to use gradm?

There are none.

When I try to call gradm -E, then gradm complains
Code: Select all
Warning: You have enabled some form of learning on the subject for /lib/systemd/systemd-udevd in role root.  You have not used -L on the command line however.

When I instead try something like gradm -E -L l.log, then I get
Code: Select all
Error opening /dev/grsec:
Device or resource busy
countermode
 
Posts: 27
Joined: Mon Sep 16, 2013 6:59 pm


Return to RBAC policy development