grsecurity forums

Posted: **Sat Mar 05, 2005 9:01 am**

I have such messages in logs,when i try to connect via ssh to box:
(passphrase asked,checked and nothnig after)

Code: Select all: Mar 5 15:27:06 serv grsec: (root:U:/sbin/devfsd) denied access to hidden file /dev/pts/2 by /sbin/devfsd[devfsd:155] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 Mar 5 15:27:06 serv grsec: (root:U:/sbin/devfsd) denied connect to the unix domain socket /dev/log by /sbin/devfsd[devfsd:155] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 Mar 5 15:27:06 serv grsec: From 192.168.0.2: (root:U:/usr/sbin/sshd) denied open of /dev/pts/2 for reading writing by /usr/sbin/sshd[sshd:19610] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:1175] uid/euid:0/0 gid/egid:0/0

It complains about /dev/pts2 is unaccessible to devfsd, although in alcs it is.

Here is my ALCs for subjects devfsd & sshd for role root:
(generated by learn, '###' means my addons)

Code: Select all: subject /usr/sbin/sshd o { user_transition_allow root sshd vl group_transition_allow root sshd users / /bin h /bin/bash /etc r /etc/grsec h /usr h /usr/lib /usr/lib/libcrypto.so.0.9.7 rx /usr/sbin/sshd x /usr/share/zoneinfo/Europe/Moscow r /var h /var/empty /var/log /var/log/lastlog rw /var/log/wtmp w /var/run/utmp rw /dev /dev/log rw /dev/null rw /dev/ptmx rw /dev/pts /dev/pts/1 rw ### /dev/pts/2 rw <<<<<<<<<<<< ### /dev/urandom r /dev/grsec h /dev/mem h /dev/kmem h /dev/port h /home /home/vl /home/vl/.ssh /home/vl/.ssh/authorized_keys r /lib rx /proc /proc/kcore h /proc/sys h /proc/bus h -CAP_ALL +CAP_CHOWN +CAP_FOWNER +CAP_FSETID +CAP_SETGID +CAP_SETUID +CAP_SYS_CHROOT bind 0.0.0.0/32:22 stream dgram ip tcp bind 0.0.0.0/32:0 stream dgram ip tcp connect 0.0.0.0/32:22 dgram udp connect 192.168.100.1/32:53 dgram udp } subject /sbin/devfsd o { / h /dev /dev/pts h /dev/pts/1 w ### /dev/pts/2 r ### /dev/vc h /dev/vc/12 /dev/vcs12 wc /dev/vcsa12 wc /dev/grsec h /dev/mem h /dev/kmem h /dev/port h ### /dev/log r <<<<<<<<<<<<<<< ### /lib /lib/dev-state /lib/dev-state/vc /sbin/insmod x -CAP_ALL +CAP_CHOWN bind disabled connect disabled }

also, what about unix domain sockets connect? should they be in connect section? what is syntax ?

is it ok that /dev/pts/2 doesn`t exist when ALCS gradm turns on RBAC?

Posted: **Sat Mar 05, 2005 10:15 pm**

Think you should add w to /dev/log, read is not enough. Unix domain sockets don't go to the connect section i believe.

onyx

Posted: **Sun Mar 06, 2005 11:23 am**

For the /dev/pts problems, changing the rule to /dev/pts instead of /dev/pts/1, etc should fix the problem and be a more functional policy. grsecurity doesn't currently handle fine-grained permissions on a devpts mount.

-Brad

Posted: **Sun Mar 06, 2005 11:46 am**

thank you, you are both right.

adding rw for /dev/log fixed problems with unix domain sockets and changing rule to /dev/pts fixed others.

grsecurity forums

ACL problem (denied connect to the unix domain socket..)

ACL problem (denied connect to the unix domain socket..)