My Hard Earned RBAC policy for Mutt
Posted: Thu Jul 16, 2015 2:07 pm
I have solved an issue that unexpectedly appeared and annoyed me in all of some 15 to 20 hours that I was recompiling Mutt.
You can see the video (if you have the spare 5 minutes of its duration), but if you don't, I'll try and explain.
http://www.croatiafidelis.hr/foss/cap/c ... entoo.webm
You need to understand, that Mutt is a mail client and transfer agent, probably the most sane there is, but not a GUI one. Rather, programmers and advanced users do their emailing with it.
Advanced users, bear a little patience. I like also the newbies to be able to understand.
Every mail client displays mail, and it displays the content primarily. While Mutt can be set to first display all the headers every time you open an email in the terminal you are running Mutt in, and when you're done looking at them, show you the content, the Mutt that I have been using for months in my Gentoo, which I build with the Portage package management of Gentoo, has been always showing me the long pages of headers, and I had to PgDwn to get to the contents of emails, and that behavior wasn't settable nor fixable in any way.
Also, Mutt has a really fine manual which at the press of F1, you can get in the same terminal window that you have opened the Mutt in, and you get it in place of Mutt, look it up, close it when you are done, and you are back in Mutt. And in my Gentoo Mutt that feature was deliberately not available because the developers in charge deemed it unseemly.
For these (and other) reasons, I decided to try and find a way in Gentoo Portage, write my own ebuild from the official one, and deploy Mutt with content shown in mails as default, and not headers, and with the manual available in Mutt.
The lengthy discussion on that matter with ups and downs is available on Gentoo Forums. The most recent starts at:
Mutt without Portage/in Local Overlay
https://forums.gentoo.org/viewtopic-t-1 ... ml#7779222
And you can see that I here and there in that discussion and research decided to do it the out-of-portage way, the complilation from source that is independent of the package managers of various Linuces.
And I, at first, got me the completely functional Mutt, as I wanted, from out-of-portage compilation.
However, almost a day ago, all of a sudden, upon a recompilation, even the out-of-portage Mutt started behaving just like the one built from official Gentoo portage!
It showed, after a lot of recompiling, a lot of looking into the logs, a lot of pouring over, that some of the issues were related to my grsecurity policies, and that is why I've opened this topic.
In some maybe a dozen recompilations, at long last, I, apparently, fixed all the issues. I thought this might be somewhat a typical case of setting up policies, and that it would be useful for me and for others to post this, so the lesser advanced like me, and those yet new and willing to read and learn, would benefit from my experience.
It's all pretty all over the place, in the build logs, the system log, in my notes, and, the solutions themselves, in my recollection. I'll try to put it together and say the most important parts.
I always work on a copy of /etc/grsec/policy file, and not on the file itself:
But that one wasn't less than a day ago, but almost two days ago? It's that I also clone my systems, and keep the master copy never to see online, never ever, but only a cloned copy of the system on another same hardware system goes online.
When I messed up last night late (it is now early evening in Europe), I restored that master system from backup, as I was incredulous that the functionality of showing me the content of mails, and the manual, was not anymore there. That one I reused not much earlier than the others, in a row:
Let me see:
# diff grsec_150714_g0n_05 grsec_150716_g0n_00
I remember vaguely that my compilation of Mutt wouldn't be successful, because there were lines like.
# grep '\/usr\/share\/automake-1.15' /var/log/messages | grep denied
( it will be consistently actual output from my logs, lest I don't post something wrong )
The next diff:
# diff grsec_150716_g0n_00 grsec_150716_g0n_01
shows that I added that line because of
# grep '\/usr\/share\/gnuconfig' /var/log/messages | grep denied
It shows that I missed allowing the entire compiler, look
# diff grsec_150716_g0n_01 grsec_150716_g0n_02
I had updated to version 4.8.5 of gcc, but in the policy there was still 4.8.4. No go.
I had to figure that out from the logs, however (this one is human recollection brought here, I thought pretty hard to figure it out!)
# grep '\/cc1' /var/log/messages | grep denied
What I remeber, is my sense of almost helplessness when I saw the build process complain in the config.log:
==***===
I know these are not yet complete informatin without the roles and the subjects those added lines apply to, but allow me to glean just a little more from the diffs, and then the complete added policies to which those lines respectively belong.
==***===
# diff grsec_150716_g0n_02 grsec_150716_g0n_03
This one almost is one, as here I added the role for user myself to allow compiling, as user
# diff grsec_150716_g0n_03 grsec_150716_g0n_04
This one was because the compiler couldn't write in the ~/hg/mutt/ originally mercurial download directory:
# diff grsec_150716_g0n_04 grsec_150716_g0n_05
Let me try and remember what the message was that taught me to add that line...
===========************===========
===========************===========
Let's see the entire policies, the ones that I have changed and that now were working better (no, not all te work was yet done!).
This one, as I already mentioned, was a complete new addition:
The policy for user miro has changed with the
lines.
But I remember I went haywire because it appeared not to work, and the lines were correct!
Here's why. I mistakenly added those lines in the Role: root instead. It couldn't have worked. I also left the root as I changed it:
My recollection goes only so far... But I hope, on the one hand, that others who struggle to apply their policies might find this useful. And also, maybe more advanced users can point to some misconfigurations I made...
# diff grsec_150716_g0n_05 grsec_150716_g0n_06
was really long overdue. I couldn't browse info pages really. Now I can:
This is going to be the last one, before a few policies that I will later search for some exact particular reasons.
I made lots of small changes from grsec_150716_g0n_06 to grsec_150716_g0n_11 (there are 7, 8, 9 and 10 in between), but I'll make it simpler here:
# diff grsec_150716_g0n_06 grsec_150716_g0n_11
That's the diff with my current policy, because:
returns an empty string.
I'm a little uneasy with the
but it just kept telling me, let me find it:
Let me see the rm subject, role miro...
Aargh, the subject Mutt now:
That:
I believe was sorely needed too!
Just like, further above, the lynx subject, role miro... Let me show you.
I bet it was this one that was missing:
because
# grep 'lynx' /var/log/messages | grep denied
Look at the dates! That was a matter belonging now to the class of issues that I might be finally getting the grip on. But this wasn't so easy figuring it out in all that the machine constantly talks and whines and grumbles...
And I was finding manual.txt of size zero in my Mutt installs!
I could go and (but I'm really tired) find where it builds Mutt in the build dir, and it says there the process would use lynx to dump the libxslt made manual.html from manual.xml (or to that affect), but it didn't tell it stumbled on any errors!
Really tired. I know these were the most important, the vim needed permissions, special onse, wait... And the /usr/etc needed to be allowed for Mutt...
The Mutt is already posted above. Just look at the line:
And vim
Do you see the line:
I believe that line and the /usr/etc line in Mutt were the last that I added, and after that the toggle header weeding worked, and the manual was shown inside Mutt's own window, with Vim of course (my editor; I know spender uses nano, but Vim is great too).
You can see the video (if you have the spare 5 minutes of its duration), but if you don't, I'll try and explain.
http://www.croatiafidelis.hr/foss/cap/c ... entoo.webm
You need to understand, that Mutt is a mail client and transfer agent, probably the most sane there is, but not a GUI one. Rather, programmers and advanced users do their emailing with it.
Advanced users, bear a little patience. I like also the newbies to be able to understand.
Every mail client displays mail, and it displays the content primarily. While Mutt can be set to first display all the headers every time you open an email in the terminal you are running Mutt in, and when you're done looking at them, show you the content, the Mutt that I have been using for months in my Gentoo, which I build with the Portage package management of Gentoo, has been always showing me the long pages of headers, and I had to PgDwn to get to the contents of emails, and that behavior wasn't settable nor fixable in any way.
Also, Mutt has a really fine manual which at the press of F1, you can get in the same terminal window that you have opened the Mutt in, and you get it in place of Mutt, look it up, close it when you are done, and you are back in Mutt. And in my Gentoo Mutt that feature was deliberately not available because the developers in charge deemed it unseemly.
For these (and other) reasons, I decided to try and find a way in Gentoo Portage, write my own ebuild from the official one, and deploy Mutt with content shown in mails as default, and not headers, and with the manual available in Mutt.
The lengthy discussion on that matter with ups and downs is available on Gentoo Forums. The most recent starts at:
Mutt without Portage/in Local Overlay
https://forums.gentoo.org/viewtopic-t-1 ... ml#7779222
And you can see that I here and there in that discussion and research decided to do it the out-of-portage way, the complilation from source that is independent of the package managers of various Linuces.
And I, at first, got me the completely functional Mutt, as I wanted, from out-of-portage compilation.
However, almost a day ago, all of a sudden, upon a recompilation, even the out-of-portage Mutt started behaving just like the one built from official Gentoo portage!
It showed, after a lot of recompiling, a lot of looking into the logs, a lot of pouring over, that some of the issues were related to my grsecurity policies, and that is why I've opened this topic.
In some maybe a dozen recompilations, at long last, I, apparently, fixed all the issues. I thought this might be somewhat a typical case of setting up policies, and that it would be useful for me and for others to post this, so the lesser advanced like me, and those yet new and willing to read and learn, would benefit from my experience.
It's all pretty all over the place, in the build logs, the system log, in my notes, and, the solutions themselves, in my recollection. I'll try to put it together and say the most important parts.
I always work on a copy of /etc/grsec/policy file, and not on the file itself:
- Code: Select all
# cp -iav /etc/grsec/policy grsec_150714_g0n_05
But that one wasn't less than a day ago, but almost two days ago? It's that I also clone my systems, and keep the master copy never to see online, never ever, but only a cloned copy of the system on another same hardware system goes online.
When I messed up last night late (it is now early evening in Europe), I restored that master system from backup, as I was incredulous that the functionality of showing me the content of mails, and the manual, was not anymore there. That one I reused not much earlier than the others, in a row:
- Code: Select all
$ ls -l
total 1456
-rw------- 1 root root 113575 2015-07-14 23:56 grsec_150714_g0n_05
-rw------- 1 root root 113603 2015-07-16 08:15 grsec_150716_g0n_00
-rw------- 1 root root 113627 2015-07-16 08:24 grsec_150716_g0n_01
-rw------- 1 root root 113483 2015-07-16 08:30 grsec_150716_g0n_02
-rw------- 1 root root 113533 2015-07-16 08:39 grsec_150716_g0n_03
-rw------- 1 root root 114003 2015-07-16 08:49 grsec_150716_g0n_04
-rw------- 1 root root 114022 2015-07-16 08:52 grsec_150716_g0n_05
-rw------- 1 root root 114005 2015-07-16 10:14 grsec_150716_g0n_06
-rw------- 1 root root 114059 2015-07-16 11:21 grsec_150716_g0n_07
-rw------- 1 root root 114060 2015-07-16 11:32 grsec_150716_g0n_08
-rw------- 1 root root 114065 2015-07-16 11:46 grsec_150716_g0n_09
-rw------- 1 root root 114083 2015-07-16 11:57 grsec_150716_g0n_10
-rw------- 1 root root 114115 2015-07-16 15:06 grsec_150716_g0n_11
Let me see:
# diff grsec_150714_g0n_05 grsec_150716_g0n_00
- Code: Select all
4325a4326
> /usr/share/automake-1.15 r
#
I remember vaguely that my compilation of Mutt wouldn't be successful, because there were lines like.
# grep '\/usr\/share\/automake-1.15' /var/log/messages | grep denied
- Code: Select all
Jul 16 08:18:23 gbn kernel: [ 4659.521289] grsec: (miro:U:/bin/cp) denied access to hidden file /usr/share/automake-1.15/compile by /bin/cp[cp:3457] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/automake-1.15[automake-1.15:3256] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 08:18:23 gbn kernel: [ 4659.535785] grsec: (miro:U:/bin/cp) denied access to hidden file /usr/share/automake-1.15/install-sh by /bin/cp[cp:3460] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/automake-1.15[automake-1.15:3256] uid/euid:1000/1000 gid/egid:1000/1000
( it will be consistently actual output from my logs, lest I don't post something wrong )
The next diff:
# diff grsec_150716_g0n_00 grsec_150716_g0n_01
- Code: Select all
4326a4327
> /usr/share/gnuconfig r
shows that I added that line because of
# grep '\/usr\/share\/gnuconfig' /var/log/messages | grep denied
- Code: Select all
Jul 16 08:18:23 gbn kernel: [ 4659.526164] grsec: (miro:U:/bin/cp) denied access to hidden file /usr/share/gnuconfig/config.guess by /bin/cp[cp:3458] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/automake-1.15[automake-1.15:3256] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 08:18:23 gbn kernel: [ 4659.530377] grsec: (miro:U:/bin/cp) denied access to hidden file /usr/share/gnuconfig/config.sub by /bin/cp[cp:3459] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/automake-1.15[automake-1.15:3256] uid/euid:1000/1000 gid/egid:1000/1000
It shows that I missed allowing the entire compiler, look
# diff grsec_150716_g0n_01 grsec_150716_g0n_02
- Code: Select all
639,641c639,641
< # /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4
< # /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4/x86_64-pc-linux-gnu-g++ x
< # /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4/x86_64-pc-linux-gnu-gcc x
---
> # /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5
> # /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-g++ x
> # /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc x
2988c2988
< subject /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.4/cc1 o {
---
> subject /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1 o {
3009c3009
< /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.4/cc1 x
---
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1 x
3500c3500
< /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4
---
> /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5
3505,3507d3504
< /var/lib/rkhunter/tmp/mirrors.dat.6hadQeOMUw w
< /var/lib/rkhunter/tmp/mirrors.dat.cy1b9KDXNC w
< /var/lib/rkhunter/tmp/rkhunter.upd.dA7ntnkWDc
I had updated to version 4.8.5 of gcc, but in the policy there was still 4.8.4. No go.
I had to figure that out from the logs, however (this one is human recollection brought here, I thought pretty hard to figure it out!)
# grep '\/cc1' /var/log/messages | grep denied
- Code: Select all
Jul 16 08:33:22 gbn kernel: [ 5559.034156] grsec: (miro:U:/) denied open of /usr/include/stdc-predef.h for reading by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:6240] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:6239] uid/euid:1000/1000 gid/egid:1000/1000
...
Jul 16 08:52:35 gbn kernel: [ 6712.502051] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied create of /home/miro/hg/mutt/conftest.dir/sub/conftest.TPo for writing by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:8296] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:8295] uid/euid:1000/1000 gid/egid:1000/1000
...
Jul 16 10:20:39 gbn kernel: [ 4504.366922] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied create of /home/miro/hg/mutt/conftest.dir/sub/conftest.TPo for writing by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:9370] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:9369] uid/euid:1000/1000 gid/egid:1000/1000
...
Jul 16 11:45:19 gbn kernel: [ 9587.573225] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied open of /tmp/cgaDVr78/dummy.c for reading by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:22110] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:22109] uid/euid:1000/1000 gid/egid:1000/1000
What I remeber, is my sense of almost helplessness when I saw the build process complain in the config.log:
compiler can not make executable
==***===
I know these are not yet complete informatin without the roles and the subjects those added lines apply to, but allow me to glean just a little more from the diffs, and then the complete added policies to which those lines respectively belong.
==***===
# diff grsec_150716_g0n_02 grsec_150716_g0n_03
- Code: Select all
4178a4179
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.4/cc1 x
#
This one almost is one, as here I added the role for user myself to allow compiling, as user
# diff grsec_150716_g0n_03 grsec_150716_g0n_04
- Code: Select all
4179d4178
< /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.4/cc1 x
5820a5820,5850
> }
>
> # Role: miro
> subject /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1 o {
> / h
> /dev
> /dev/grsec h
> /dev/kmem h
> /dev/log h
> /dev/mem h
> /dev/null rw
> /dev/port h
> /dev/urandom r
> /etc h
> /etc/ld.so.cache r
> /lib64 rx
> /lib64/modules h
> /proc h
> /proc/meminfo r
> /tmp w
> /usr
> /usr/include r
> /usr/lib64 rx
> /usr/libexec h
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1 x
> /usr/share h
> /usr/share/locale r
> /usr/src rwxc
> -CAP_ALL
> bind disabled
> connect disabled
#
This one was because the compiler couldn't write in the ~/hg/mutt/ originally mercurial download directory:
# diff grsec_150716_g0n_04 grsec_150716_g0n_05
- Code: Select all
5834a5835
> /home/miro/hg rw
Let me try and remember what the message was that taught me to add that line...
- Code: Select all
Jul 16 08:03:39 gbn kernel: [ 3775.397504] grsec: (miro:U:/bin/bash) denied untrusted exec (due to being in untrusted group and file in non-root-owned directory) of /home/miro/hg/mutt/prepare by /home/miro/hg/mutt/prepare[bash:2435] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2936] uid/euid:1000/1000 gid/egid:1000/1000
...
Jul 16 08:44:40 gbn kernel: [ 6237.721055] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied access to hidden file /home/miro/hg/mutt/conftest.c by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:7554] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:7553] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 08:52:35 gbn kernel: [ 6712.470007] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied create of /home/miro/hg/mutt/conftest.dir/sub/conftest.TPo for writing by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:8291] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:8290] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 08:56:50 gbn kernel: [ 6968.228219] grsec: (miro:U:/usr/bin/lynx) denied open of /home/miro/hg/mutt/doc/manual.html for reading by /usr/bin/lynx[lynx:12260] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:12259] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 09:25:06 gbn kernel: [ 1169.540701] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied create of /home/miro/hg/mutt/conftest.dir/sub/conftest.TPo for writing by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:4224] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:4223] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 09:25:06 gbn kernel: [ 1169.676216] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied create of /home/miro/hg/mutt/conftest.dir/sub/conftest.o for writing by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:4254] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:4253] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 10:26:43 gbn kernel: [ 4869.169943] grsec: (miro:U:/usr/bin/lynx) denied open of /home/miro/hg/mutt/doc/manual.html for reading by /usr/bin/lynx[lynx:13264] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:13263] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 11:34:41 gbn kernel: [ 8949.693924] grsec: (miro:U:/usr/bin/lynx) denied open of /home/miro/hg/mutt/doc/manual.html for reading by /usr/bin/lynx[lynx:19995] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:19994] uid/euid:1000/1000 gid/egid:1000/1000
===========************===========
===========************===========
Let's see the entire policies, the ones that I have changed and that now were working better (no, not all te work was yet done!).
This one, as I already mentioned, was a complete new addition:
- Code: Select all
# Role: miro
subject /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1 o {
/ h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/dev/urandom r
/etc h
/etc/ld.so.cache r
/home/miro/hg rw
/lib64 rx
/lib64/modules h
/proc h
/proc/meminfo r
/tmp w
/usr
/usr/include r
/usr/lib64 rx
/usr/libexec h
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1 x
/usr/share h
/usr/share/locale r
/usr/src rwxc
-CAP_ALL
bind disabled
connect disabled
}
The policy for user miro has changed with the
- Code: Select all
/usr/share/automake-1.15 r
/usr/share/gnuconfig r
lines.
- Code: Select all
# Role: miro
subject /bin/cp o {
/ h
/Cmn r
/Cmn/dLo rwc
/Cmn/F* rwc
/Cmn/Kaff rwxcd
/Cmn/MyVideos rwxcd
/Cmn/gX rwc
/Cmn/m* rwc
/Cmn/naibdX rwc
/bin h
/bin/cp x
/etc h
/etc/ld.so.cache r
/home h
/home/miro rwxcd
/lib64 rx
/lib64/modules h
/mnt h
/mnt/g?-C r
/mnt/g?-C/Kaff rwxcd
/mnt/g?-C/MyVideos rwxcd
/mnt/g?-C/dLo rwxcd
/mnt/g?-C/m* rwxcd
/mnt/g?-?1 rwxcd
/mnt/g?n-C r
/mnt/g?n-C/Kaff rwxcd
/mnt/g?n-C/MyVideos rwxcd
/mnt/g?n-C/dLo rwxcd
/mnt/g?n-C/m* rwxcd
/mnt/g?n-?1 rwxcd
/mnt/sd?1 rwcd
/mnt/sr0 r
/usr h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/local/bin x
/usr/share/automake-1.15 r
/usr/share/gnuconfig r
/usr/share/locale r
/var
/var/www/localhost/htdocs rwcd
-CAP_ALL
bind disabled
connect disabled
}
But I remember I went haywire because it appeared not to work, and the lines were correct!
Here's why. I mistakenly added those lines in the Role: root instead. It couldn't have worked. I also left the root as I changed it:
- Code: Select all
# Role: root
subject /bin/cp o {
/ h
/Cmn r
/Cmn/Kaff rwxcd
/Cmn/dLo rwc
/Cmn/gX rwc
/Cmn/m* rwc
/Cmn/naibdX rwc
/bin h
/bin/cp x
/etc h
/etc/ld.so.cache r
/home h
/home/miro r
/lib64 rx
/lib64/modules h
/mnt h
/mnt/g?-C r
/mnt/g?-C/Kaff rwxcd
/mnt/g?-C/MyVideos rwxcd
/mnt/g?-C/dLo rwxcd
/mnt/g?-C/m* rwxcd
/mnt/g?-?1 rwxcd
/mnt/g?n-C r
/mnt/g?n-C/Kaff rwxcd
/mnt/g?n-C/MyVideos rwxcd
/mnt/g?n-C/dLo rwxcd
/mnt/g?n-C/m* rwxcd
/mnt/g?n-?1 rwxcd
/mnt/F* rwc
/mnt/sde1/rsync.sh r
/mnt/sde1/rsync_netcologne.sh r
/mnt/sde1/wget.sh r
/mnt/sr0 r
/root rwcd
/usr h
/usr/lib64 h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/local h
/usr/local/bin rwx
/usr/share h
/usr/share/automake-1.15 r
/usr/share/gnuconfig r
/usr/share/locale r
/usr/src r
/var h
/var/log rwc
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FOWNER
+CAP_FSETID
bind disabled
connect disabled
}
My recollection goes only so far... But I hope, on the one hand, that others who struggle to apply their policies might find this useful. And also, maybe more advanced users can point to some misconfigurations I made...
# diff grsec_150716_g0n_05 grsec_150716_g0n_06
- Code: Select all
4271c4271
< /usr/share/info/coreutils.info.bz2 r
---
> /usr/share/info r
was really long overdue. I couldn't browse info pages really. Now I can:
- Code: Select all
# Role: miro
subject /bin/bash o {
/
/Cmn r
/Cmn/ls-ABRgo* rwcdl
/Cmn/Kaff rwxcd
/Cmn/MyVideos rwxcd
/Cmn/dLo rwxcd
/Cmn/gX rwxcdl
/Cmn/m* rwxcdl
/export rwxcd
/bin x
/boot h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/dev/tty rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home/miro rwxcdl
/lib/modules h
/lib64 rx
/lib64/modules h
/mnt r
/mnt/g?-C r
/mnt/g?-C/Kaff rwxcd
/mnt/g?-C/MyVideos rwxcd
/mnt/g?-C/dLo rwxcd
/mnt/g?-C/m* rwxcd
/mnt/g?-?1 rwxcd
/mnt/g?n-C r
/mnt/g?n-C/Kaff rwxcd
/mnt/g?n-C/MyVideos rwxcd
/mnt/g?n-C/dLo rwxcd
/mnt/g?n-C/m* rwxcd
/mnt/g?n-?1 rwxcd
/mnt/sd?1 rwxcdl
/mnt/sr0 r
/proc h
/proc/meminfo r
/sbin h
/sbin/macchanger
/sbin/openrc
/sbin/xtables-multi
/sys h
/tmp rwcd
/usr
/usr/bin x
/usr/bin/cvs x
/usr/bin/info x
/usr/bin/man x
/usr/bin/mencoder x
/usr/bin/mplayer x
/usr/bin/java rx
/usr/lib64 rx
/usr/libexec/git-core rx
/usr/libexec/eselect-java/run-java-tool.bash rx
/usr/local
/usr/local/bin rwxc
/usr/sbin h
/usr/sbin/sendmail rx
/usr/share h
/usr/share/info r
/usr/share/cvs/contrib/rcs2log
/usr/share/locale r
/usr/src h
/var
/var/log h
/var/tmp rwcd
/var/www/localhost/htdocs rwcd
-CAP_ALL
bind disabled
connect disabled
sock_allow_family all
}
This is going to be the last one, before a few policies that I will later search for some exact particular reasons.
I made lots of small changes from grsec_150716_g0n_06 to grsec_150716_g0n_11 (there are 7, 8, 9 and 10 in between), but I'll make it simpler here:
# diff grsec_150716_g0n_06 grsec_150716_g0n_11
- Code: Select all
2426a2427
> /usr/etc r
2444a2446
> /usr/etc r
2999a3002
> /home/miro/hg rwc
3004c3007
< /tmp w
---
> /tmp rw
4603a4607
> /tmp rwcdmli
5318a5323
> /home/miro/hg rw
5491a5497
> /usr/etc r
5673c5679
< /tmp rwcd
---
> /tmp rwcdl
5680c5686
< /usr/share rwc
---
> /usr/share rwcdl
5835c5841
< /home/miro/hg rw
---
> /home/miro/hg crw
5840c5846
< /tmp w
---
> /tmp rwc
That's the diff with my current policy, because:
- Code: Select all
# diff grsec_150716_g0n_11 /etc/grsec/policy
#
returns an empty string.
I'm a little uneasy with the
- Code: Select all
> /tmp rwcdmli
but it just kept telling me, let me find it:
- Code: Select all
# grep 'unlink' /var/log/messages | grep denied
Jul 16 11:48:33 gbn kernel: [ 9781.397191] grsec: (miro:U:/bin/rm) denied unlink of /tmp/cgZqmlhe/dummy.c by /bin/rm[rm:26386] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:26385] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 11:48:33 gbn kernel: [ 9781.397246] grsec: (miro:U:/bin/rm) denied unlink of /tmp/cgZqmlhe/dummy.o by /bin/rm[rm:26386] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:26385] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 11:55:43 gbn kernel: [10212.443252] grsec: (miro:U:/bin/rm) denied unlink of /tmp/cgV8tR1R/dummy.c by /bin/rm[rm:30663] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:30662] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 11:55:43 gbn kernel: [10212.443331] grsec: (miro:U:/bin/rm) denied unlink of /tmp/cgV8tR1R/dummy.o by /bin/rm[rm:30663] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:30662] uid/euid:1000/1000 gid/egid:1000/1000
Let me see the rm subject, role miro...
- Code: Select all
# Role: miro
subject /bin/rm o {
/
/Cmn wd
/bin h
/bin/rm x
/boot h
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/port h
/etc h
/etc/ld.so.cache r
/home h
/home/miro wd
/home/miro/public_html rwcd
# /lib/modules h
/lib64 h
/lib64/ld-2.20.so x
/lib64/libc-2.20.so rx
/mnt r
/mnt/sd?1 rwcd
/mnt/g?-C r
/mnt/g?-C/Kaff rwxcd
/mnt/g?-C/MyVideos rwxcd
/mnt/g?-C/dLo rwxcd
/mnt/g?-C/m* rwxcd
/mnt/g?-?1 rwxcd
/mnt/g?n-C/Kaff rwxcd
/mnt/g?n-C/MyVideos rwxcd
/mnt/g?n-C/dLo rwxcd
/mnt/g?n-C/m* rwxcd
/mnt/g?n-?1 rwxcd
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/sys h
/usr h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/share/locale r
/tmp rwcdmli
/var h
/var/www wd
/var/www/localhost/htdocs rwcdl
-CAP_ALL
bind disabled
connect disabled
}
Aargh, the subject Mutt now:
- Code: Select all
# Role: miro
subject /usr/bin/mutt o {
/ h
/bin h
/bin/bash x
/dev h
/dev/log rw
/dev/tty r
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home
/home/miro rwxcdl
/Cmn/dLo rwxcdl
/lib64 rx
/lib64/modules h
/proc h
/proc/meminfo r
/tmp rwcdl
/usr h
/usr/etc r
/usr/bin h
/usr/bin/mutt x
/usr/lib64 rx
/usr/sbin h
/usr/sbin/sendmail x
/usr/share h
/usr/share/locale r
-CAP_ALL
bind 0.0.0.0/32:0 dgram ip
connect 127.0.0.1/32:143 stream dgram tcp udp
sock_allow_family ipv6 netlink
}
That:
- Code: Select all
/tmp rwcdl
I believe was sorely needed too!
Just like, further above, the lynx subject, role miro... Let me show you.
- Code: Select all
# Role: miro
subject /usr/bin/lynx o {
/
/Cmn r
/Cmn/dLo wc
/Cmn/m* wc
/Cmn/Kaff wc
/bin h
/bin/bash x
/boot h
/dev h
/dev/pts
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/passwd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home
/home/miro
/home/miro/hg rw
/home/miro/.mailcap r
/lib/modules h
/lib64 rx
/lib64/modules h
/proc
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/run h
/run/utmp r
/sys h
/tmp rwcd
/usr h
/usr/bin h
/usr/bin/lynx rx
/usr/lib64 rx
/usr/share h
/usr/share/doc r
/usr/share/locale r
/var/log h
/var/www/localhost/htdocs r
-CAP_ALL
bind 0.0.0.0/32:0 dgram ip
connect 0.0.0.0/0:80 stream dgram tcp udp
connect 0.0.0.0/0:443 stream dgram tcp udp
connect 0.0.0.0/0:53 stream dgram tcp udp
connect 127.0.0.1/32:8008 stream dgram tcp udp
connect 127.0.0.1/32:9999 stream dgram tcp udp
connect 192.168.3.0/24:9999 stream dgram tcp udp
sock_allow_family unix inet netlink
}
I bet it was this one that was missing:
- Code: Select all
/tmp rwcd
because
# grep 'lynx' /var/log/messages | grep denied
- Code: Select all
Jul 16 08:56:50 gbn kernel: [ 6968.228219] grsec: (miro:U:/usr/bin/lynx) denied open of /home/miro/hg/mutt/doc/manual.html for reading by /usr/bin/lynx[lynx:12260] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:12259] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 10:26:43 gbn kernel: [ 4869.169943] grsec: (miro:U:/usr/bin/lynx) denied open of /home/miro/hg/mutt/doc/manual.html for reading by /usr/bin/lynx[lynx:13264] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:13263] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 11:34:41 gbn kernel: [ 8949.693924] grsec: (miro:U:/usr/bin/lynx) denied open of /home/miro/hg/mutt/doc/manual.html for reading by /usr/bin/lynx[lynx:19995] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:19994] uid/euid:1000/1000 gid/egid:1000/1000
Look at the dates! That was a matter belonging now to the class of issues that I might be finally getting the grip on. But this wasn't so easy figuring it out in all that the machine constantly talks and whines and grumbles...
And I was finding manual.txt of size zero in my Mutt installs!
I could go and (but I'm really tired) find where it builds Mutt in the build dir, and it says there the process would use lynx to dump the libxslt made manual.html from manual.xml (or to that affect), but it didn't tell it stumbled on any errors!
Really tired. I know these were the most important, the vim needed permissions, special onse, wait... And the /usr/etc needed to be allowed for Mutt...
The Mutt is already posted above. Just look at the line:
- Code: Select all
/usr/etc r
And vim
- Code: Select all
# Role: miro
subject /usr/bin/vim o {
/
/Cmn r
/Cmn/ls-ABRgo* rwcdl
/Cmn/Kaff rwcd
/Cmn/MyVideos rwcd
/Cmn/dLo rwcd
/Cmn/m* rwcd
/Cmn/gX rwcd
/home/miro rwcd
/bin h
/bin/bash x
/bin/bzip2
/boot h
/dev h
/dev/null rw
/dev/urandom r
/etc rwcd
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/etc/terminfo
/etc/terminfo/l/linux r
/etc/terminfo/r/rxvt-unicode r
/etc/vim
/etc/vim/vimrc r
/etc/vim/vimrc.local r
/home h
/home/miro rwcd
/lib64 rx
/lib64/modules h
/mnt r
/mnt/sd?1 rwcd
/mnt/g?-C r
/mnt/g?-C/Kaff rwxcd
/mnt/g?-C/MyVideos rwxcd
/mnt/g?-C/dLo rwxcd
/mnt/g?-C/m* rwxcd
/mnt/g?-?1 rwxcd
/mnt/g?n-C/Kaff rwxcd
/mnt/g?n-C/MyVideos rwxcd
/mnt/g?n-C/dLo rwxcd
/mnt/g?n-C/m* rwxcd
/mnt/g?n-?1 rwxcd
/proc h
/proc/meminfo r
/sys h
/tmp rwcdl
/usr
/usr/bin x
/usr/lib64 rx
/usr/local h
/usr/local/bin
/usr/local/bin/uncenz-kill rw
/usr/share rwcdl
/usr/src h
/var h
/var/tmp rwcd
/var/www/localhost/htdocs rwcdl
-CAP_ALL
bind disabled
connect disabled
}
Do you see the line:
- Code: Select all
/tmp rwcdl
I believe that line and the /usr/etc line in Mutt were the last that I added, and after that the toggle header weeding worked, and the manual was shown inside Mutt's own window, with Vim of course (my editor; I know spender uses nano, but Vim is great too).