Problems using grsecurity-1.9.7-rc[123] with 2.4.19

Submit your RBAC policies or suggest policy improvements

Problems using grsecurity-1.9.7-rc[123] with 2.4.19

Postby virtual » Sun Sep 01, 2002 11:30 am

Hi

While trying grsecurity i stumbled across a problem with inheritance on subjects.
My setup is as follows:

Distribution : RedHat 7.3
Kernel : linux-2.4.19.tar.bz2 from ftp.kernel.org
filesystem : ext2 and ext3 (tried both)
grsecurity-version: 1.9.7-rc[123] kernelpatch and gradm (tried all three versions)

/etc/grsec/acl as follows:
------------ SNIP ----------------

/ {
/ r
/opt rx
/home rwx
/mnt rw
/dev rw
/dev/mem h
/dev/kmem h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rwx
/proc/sys r
/root rw
/tmp rw
/var rwx
/var/tmp rw
/var/log rw
/boot r
/etc/grsec h
}

/usr/X11R6/bin/XFree o {
/dev/mem rw
+CAP_SYS_RAWIO
}

-------------- SNIP ----------------

When i enable the ACL-system with "gradm -E" I get the following error:
"Default ACL object not found for subject /usr/X11R6/bin/XFree"
"The ACL system will not load until you correct this error."

I also tried the following ACL for subject "/usr/X11R6/bin/XFree" :

/usr/X11R6/bin/XFree {
/dev/mem rwo
+CAP_SYS_RAWIO
}

which gives me these errors in my syslog:
-Sep 1 12:18:36 mad kernel: grsec: attempt to access hidden file [03:05:8055] by (XFree86:1406) UID(0) EUID(0), parent (bash:1235) UID(0) EUID(0)

-Sep 1 12:18:36 mad kernel: grsec: CAP_SYS_RAWIO not raised for (XFree86:1406) UID(0) EUID(0), parent (bash:1235) UID(0) EUID(0)

-----
i really dont understand, whats going wrong here :( according to the dokumentation at least
my first ACL for subject "usr..XFree" should disable inheritance for "/dev/mem" and CAP_SYS_RAWIO
... or am i wrong ?

since grsecurity reallay seems to be y mature piece of software i´d be glad to learn more about it, but now i´m stuck :/

any help is welcome :)

virtual
virtual
 
Posts: 2
Joined: Sun Sep 01, 2002 11:12 am

Postby spender » Sun Sep 01, 2002 1:42 pm

/usr/X11R6/bin/XFree o {
/dev/mem rw
+CAP_SYS_RAWIO
}


This is wrong. You were using the override mode in the subject, which means you have to explicitly grant permission for that proccess, which means you need to have at least a rule for / for that process.

/usr/X11R6/bin/XFree {
/dev/mem rwo
+CAP_SYS_RAWIO
}


The reason why this didn't work is because you were using the wrong pathname for X. gradm accepted this because we support non-existant subjects and objects. You could have checked the permissions by using gradm -T.

/usr/X11R6/bin/XFree86 {
/dev/mem rwo
+CAP_SYS_RAWIO
}

will work.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby virtual » Sun Sep 01, 2002 4:08 pm

Hi Spender !!!

Great ! you were right with the typo in my configuration <blush :)>. and the first part (about an object for "/" in a subject ACL with "o" flag) opened my eyes. After this this test-setup behaved as if im getting somewhere :)

Thank you very much !
virtual
virtual
 
Posts: 2
Joined: Sun Sep 01, 2002 11:12 am


Return to RBAC policy development

cron