"define"d policies and object order
Posted: Tue Mar 07, 2006 7:07 pm
This works well:
But this gives an error:
Workaround:
- Code: Select all
subject /bin/bash:/usr/bin/setterm hpdAo {
user_transition_allow hue
group_transition_allow hue
/ h
/dev h
/dev/urandom r
/etc h
/etc/ld.so.cache r
/etc/terminfo/l/linux r
/home h
/home/hue
/home/hue/* h
/lib h
/lib/ld-2.3.6.so x
/lib/libc-2.3.6.so rx
/lib/libdl-2.3.6.so rx
/lib/libncurses.so.5.5 rx
/usr h
/usr/lib/gconv/gconv-modules.cache r
/usr/lib/locale
/usr/lib/locale/en_US.utf8 r
/usr/share/locale r
-CAP_ALL
bind disabled
connect disabled
}
But this gives an error:
- Code: Select all
# exactly the same
define usr_bin_setterm {
/ h
/dev h
/dev/urandom r
/etc h
/etc/ld.so.cache r
/etc/terminfo/l/linux r
/home h
/home/hue
/home/hue/* h
/lib h
/lib/ld-2.3.6.so x
/lib/libc-2.3.6.so rx
/lib/libdl-2.3.6.so rx
/lib/libncurses.so.5.5 rx
/usr h
/usr/lib/gconv/gconv-modules.cache r
/usr/lib/locale
/usr/lib/locale/en_US.utf8 r
/usr/share/locale r
}
subject /bin/bash:/usr/bin/setterm hpdAo {
user_transition_allow hue
group_transition_allow hue
$usr_bin_setterm
-CAP_ALL
bind disabled
connect disabled
}
# gradm -E
Error on line 802 of /etc/grsec/policy.d/hue:
Object /home/hue needs to be specified before globbed object /home/hue/*
Workaround:
- Code: Select all
define usr_bin_setterm {
/ h
/dev h
/dev/urandom r
/etc h
/etc/ld.so.cache r
/etc/terminfo/l/linux r
/home h
# /home/hue
/home/hue/* h
/lib h
/lib/ld-2.3.6.so x
/lib/libc-2.3.6.so rx
/lib/libdl-2.3.6.so rx
/lib/libncurses.so.5.5 rx
/usr h
/usr/lib/gconv/gconv-modules.cache r
/usr/lib/locale
/usr/lib/locale/en_US.utf8 r
/usr/share/locale r
}
subject /bin/bash:/usr/bin/setterm hpdAo {
user_transition_allow hue
group_transition_allow hue
## move this line from the above definition here to make gradm happy
/home/hue
$usr_bin_setterm
-CAP_ALL
bind disabled
connect disabled
}