Qemu RBAC policies (& libvirt & tcpdump...)
Posted: Wed Apr 05, 2017 11:46 am
Initially I planned this first post (and I didn't know how many posts I would need to prepare), for topic:
RBAC policy for tcpdump
viewtopic.php?f=5&t=4301
because I figured out important little "tweak" (or what to call it) for the learning on role tcpdump, without which, as it appears to me, there are issues left, tcpdump doesn't work correctly under RBAC.
Then I thought it has too little to do with tcpdump, even though it contains the important "tweak", but rather should belong into the topic:
Libvirt virtualization policies
viewtopic.php?f=5&t=4675
But I actually leave the libvirt programs subject policies still under learning in the final today's policies...
The most it deals with is the Qemu. So I'll open a topic on:
title: Qemu RBAC policies (& libvirt & tcpdump...)
And so I gave that same argument to my diffing_script.sh, which you can find at:
Libvirt virtualization policies
viewtopic.php?f=5&t=4675&start=15#p17006
(
but first I changed the string, in the whole script:
from /Cmn/m/B/Virt_170405/ to /some/other/dir/
)
...
First, I had figured out the missing tweak in my tcpdump topic (link given above). The tcpdump role learning was missing!
And you can see it, if you peruse the actual changes btwn the versions above of my /etc/grsec/policy which I have prepared for posting.
So, I ran:
and when asked, pasted in that string above:
, and below is what I got.
However, these posts also are related to my Libvirt topic (link given above), and they build on the explanations given there, to a large extent. E.g. the version grsec_170310_g0n_00 is one of the last versions of my /etc/grsec/policy that I explained in that topic how I attained it.
diff -u30 ./grsec_170310_g0n_00 ./grsec_170319_g0n_00
diff -u30 ./grsec_170319_g0n_00 ./grsec_170322_g0n_00
diff -u30 ./grsec_170322_g0n_00 ./grsec_170325_g0n_00
diff -u30 ./grsec_170325_g0n_00 ./grsec_170401_g0n_00
diff -u30 ./grsec_170401_g0n_00 ./grsec_170403_g0n_02
diff -u30 ./grsec_170403_g0n_02 ./grsec_170404_g0n_00
In the next post, after I have done a number of tcpdump network traces, I will give what grsecurity learned from those, along with the diff with the new tcpdump-learned policy.
I'll post it regardless that this issue was now solved, or that this issue still remained open.
RBAC policy for tcpdump
viewtopic.php?f=5&t=4301
because I figured out important little "tweak" (or what to call it) for the learning on role tcpdump, without which, as it appears to me, there are issues left, tcpdump doesn't work correctly under RBAC.
Then I thought it has too little to do with tcpdump, even though it contains the important "tweak", but rather should belong into the topic:
Libvirt virtualization policies
viewtopic.php?f=5&t=4675
But I actually leave the libvirt programs subject policies still under learning in the final today's policies...
The most it deals with is the Qemu. So I'll open a topic on:
title: Qemu RBAC policies (& libvirt & tcpdump...)
- Code: Select all
# ls -l grsec_170[3][1-9][0-2,4-9]_g0n_[0-9][0-9] grsec_170[4][0-9][0-9]_g0n_[0-9][0-9]
-rw------- 1 root root 171317 2017-03-08 18:46 grsec_170310_g0n_00
-rw------- 1 root root 171305 2017-03-19 22:10 grsec_170319_g0n_00
-rw------- 1 root root 171334 2017-03-22 11:56 grsec_170322_g0n_00
-rw------- 1 root root 171367 2017-03-25 12:52 grsec_170325_g0n_00
-rw------- 1 root root 171356 2017-04-01 22:43 grsec_170401_g0n_00
-rw------- 1 root root 171596 2017-04-03 14:24 grsec_170403_g0n_02
-rw------- 1 root root 171599 2017-04-04 19:21 grsec_170404_g0n_00
And so I gave that same argument to my diffing_script.sh, which you can find at:
Libvirt virtualization policies
viewtopic.php?f=5&t=4675&start=15#p17006
(
but first I changed the string, in the whole script:
from /Cmn/m/B/Virt_170405/ to /some/other/dir/
)
...
First, I had figured out the missing tweak in my tcpdump topic (link given above). The tcpdump role learning was missing!
And you can see it, if you peruse the actual changes btwn the versions above of my /etc/grsec/policy which I have prepared for posting.
So, I ran:
- Code: Select all
# diffing_script.sh
and when asked, pasted in that string above:
- Code: Select all
grsec_170[3][1-9][0-2,4-9]_g0n_[0-9][0-9] grsec_170[4][0-9][0-9]_g0n_[0-9][0-9]
, and below is what I got.
However, these posts also are related to my Libvirt topic (link given above), and they build on the explanations given there, to a large extent. E.g. the version grsec_170310_g0n_00 is one of the last versions of my /etc/grsec/policy that I explained in that topic how I attained it.
diff -u30 ./grsec_170310_g0n_00 ./grsec_170319_g0n_00
- Code: Select all
--- ./grsec_170310_g0n_00 2017-03-08 18:46:35.138312762 +0100
+++ ./grsec_170319_g0n_00 2017-03-19 22:10:00.430783212 +0100
@@ -4519,109 +4519,109 @@
/proc/slabinfo r
/proc/sys h
/root rwcd
/sbin r
/usr
/usr/arm-unknown-linux-gnueabi r
/usr/bin r
/usr/etc r
/usr/lib64 rx
/usr/libexec r
/usr/local r
/usr/sbin rx
/usr/share r
/usr/src h
/usr/x86_64-pc-linux-gnu r
/usr/arm-unknown-linux-gnueabi r
/var
/var/lib rwcd
/var/spool h
/var/spool/cron r
/var/www r
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
# Role: root
-subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ar o
+subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.27/ar o
/ h
/etc h
/etc/ld.so.cache r
/lib64 rx
/lib64/modules h
/usr h
/usr/lib64 h
/usr/lib64/binutils/x86_64-pc-linux-gnu/2.25.1/libbfd-2.25.1.so rx
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/src h
/usr/x86_64-pc-linux-gnu h
- /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ar x
+ /usr/x86_64-pc-linux-gnu/binutils-bin/2.27/ar x
-CAP_ALL
bind disabled
connect disabled
# Role: root
-subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as o
+subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.27/as o
/ h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/etc h
/etc/ld.so.cache r
/lib64 rx
/lib64/modules h
/tmp rw
/usr h
/usr/lib64 h
/usr/lib64/binutils/x86_64-pc-linux-gnu/2.25.1/libbfd-2.25.1.so rx
/usr/lib64/binutils/x86_64-pc-linux-gnu/2.25.1/libopcodes-2.25.1.so rx
/usr/lib64/locale/locale-archive r
/usr/share h
/usr/share/locale r
/usr/src rwcd
/usr/x86_64-pc-linux-gnu h
/usr/x86_64-pc-linux-gnu/binutils-bin x
-CAP_ALL
bind disabled
connect disabled
# Role: root
-subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld o
+subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.27/ld o
/ h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/etc h
/etc/ld.so.cache r
/etc/ld.so.conf r
/etc/ld.so.conf.d
/etc/ld.so.conf.d/05binutils.conf r
/etc/ld.so.conf.d/05gcc-x86_64-pc-linux-gnu.conf r
/lib64 rx
/lib64/modules h
/proc h
/proc/meminfo r
/tmp r
/usr h
/usr/lib64 rx
/usr/share h
/usr/share/locale r
/usr/src rwcd
/usr/x86_64-pc-linux-gnu h
/usr/x86_64-pc-linux-gnu/binutils-bin x
-CAP_ALL
bind disabled
connect disabled
@@ -5052,61 +5052,61 @@
/sbin/openrc
/sbin/xtables-multi
/sys h
/tmp rwcd
/usr
/usr/bin x
/usr/bin/java rx
/usr/bin/mplayer rx
/usr/bin/mpv rx
/usr/bin/qemu-system-x86_64 rx
/usr/bin/ssh rx
/usr/bin/xkbcomp rx
/usr/bin/urxvt rx
/usr/bin/tzap rx
/usr/lib64 rx
/usr/libexec rx
/usr/local
/usr/local/bin rwxc
/usr/sbin h
/usr/sbin/sendmail rx
/usr/sbin/tcpdump x
/usr/share h
/usr/share/virt-manager x
/usr/share/cvs/contrib/rcs2log
/usr/share/doc r
/usr/share/info r
/usr/share/locale r
/usr/share/terminfo r
/usr/src rwxc
# needed by youtube-dl
- /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/objdump x
+ /usr/x86_64-pc-linux-gnu/binutils-bin/2.27/objdump x
/var
/var/lib
/var/lib/lurker rwcdl
/var/log h
/var/tmp rwcd
/var/www
/var/www/lurker* rwcd
/var/www/localhost
/var/www/localhost/htdocs rwcd
-CAP_ALL
bind disabled
connect disabled
sock_allow_family all
# Role: miro
subject /bin/cat o
/ h
/Cmn r
/Cmn/MyVideos rwcdl
/Cmn/ls-ABRgo* rwcdl
/Cmn/dLo* rwcdl
/bin h
/bin/cat rx
/dev h
/dev/dvb r
/dev/dvb/adapter? r
/dev/dvb/adapter?/dvr? r
/etc h
/etc/ld.so.cache r
/etc/qemu/bridge.conf r
@@ -6474,62 +6474,62 @@
/proc/sys h
/sys h
/tmp r
/usr h
/usr/bin h
$gpg_programs
/usr/lib64 rx
/usr/share r
/var/log h
/var/www/localhost/htdocs rwc
-CAP_ALL
+CAP_FOWNER
+CAP_MKNOD
bind disabled
connect disabled
sock_allow_family unix inet
# Role: miro
subject /usr/bin/gpgconf o
/ h
/dev/null rw
/etc h
/etc/ld.so.cache r
/lib64 h
/lib64/ld-2.23.so x
/lib64/libc-2.23.so rx
/usr h
/usr/bin
$gpg_programs
/usr/share/locale r
- /usr/lib64/libgcrypt.so.20.1.5 rx
- /usr/lib64/libgpg-error.so.0.21.0 rx
+ /usr/lib64/libgcrypt.so.20.1.6 rx
+ /usr/lib64/libgpg-error.so.0.22.0 rx
/usr/lib64/locale/locale-archive r
-CAP_ALL
bind disabled
connect disabled
## Role: miro
#subject /usr/bin/gpgparsemail ol
# / h
# -CAP_ALL
# bind disabled
# connect disabled
## Role: miro
#subject /usr/bin/gpgscm ol
# / h
# -CAP_ALL
# bind disabled
# connect disabled
## Role: miro
#subject /usr/bin/gpgsm ol
# / h
# -CAP_ALL
# bind disabled
# connect disabled
## Role: miro
#subject /usr/bin/gpgtar ol
# / h
# -CAP_ALL
@@ -8212,61 +8212,61 @@
sock_allow_family unix inet
# Role: miro
subject /usr/libexec/gcc/x86_64-pc-linux-gnu o
/ h
/Cmn
/Cmn/mr* rwc
/Cmn/Kaff rwc
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/dev/urandom r
/etc h
/etc/ld.so.cache r
/home
/home/miro rwcd
/lib64 rx
/lib64/modules h
/proc h
/proc/meminfo r
/tmp rwcdl
/usr
/usr/include r
/usr/lib64 rx
/usr/libexec h
/usr/libexec/gcc x
- /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld x
+ /usr/x86_64-pc-linux-gnu/binutils-bin/2.27/ld x
/usr/share h
/usr/share/locale r
/usr/src rwxc
-CAP_ALL
+CAP_IPC_LOCK
+CAP_SYS_RAWIO
bind disabled
connect disabled
# Role: miro
subject /usr/libexec/git-core o
/ h
/Cmn r
/Cmn/src* rwcdl
/bin x
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/dev/tty rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/passwd h
/etc/shadow h
diff -u30 ./grsec_170319_g0n_00 ./grsec_170322_g0n_00
- Code: Select all
--- ./grsec_170319_g0n_00 2017-03-19 22:10:00.430783212 +0100
+++ ./grsec_170322_g0n_00 2017-03-22 11:56:18.000000000 +0100
@@ -8588,94 +8588,95 @@
/lib64/modules h
/proc
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/meminfo r
/proc/modules h
/proc/slabinfo h
/proc/sys h
/tmp rwcd
/usr
/usr/bin
/usr/bin/maildrop x
/usr/bin/python* x
/usr/lib64 rx
/usr/src h
-CAP_ALL
bind 0.0.0.0/32:0 dgram ip
connect 127.0.0.1/32 dgram udp
connect 195.29.150.9/32:995 dgram udp
connect 195.29.150.8/32:995 stream dgram tcp udp
connect 178.218.165.68/32:993 stream tcp
connect 192.168.1.1/32:53 dgram udp
sock_allow_family netlink
# Role: miro
subject /usr/lib64/palemoon/palemoon o
/ r
/Cmn rw
/mnt/CD r
- /Cmn/dLo rwc
+ /Cmn/dLo rwcd
/boot h
/bin/wc x
/dev
/dev/dri h
/dev/dri/card0 rw
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/dev/snd rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home
/home/miro rw
/home/miro/.cache rwcd
/home/miro/.config
/home/miro/.config/gtk-2.0 rwcd
/home/miro/.local
/home/miro/.local/share rwcd
"/home/miro/.moonchild productions" rwcd
# "/home/miro/.moonchild productions/pale moon" r
# "/home/miro/.moonchild productions/pale moon/sre1mcun.default" rwcd
/home/miro/.mozilla
/home/miro/.sslkey.log w
/home/miro/Desktop rwcd
+ /home/miro/Downloads rwcd
/lib/modules h
/lib64 rx
/lib64/modules h
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/self r
/proc/slabinfo h
/proc/sys h
/run
/sys h
/sys/devices/system/cpu/online r
/sys/devices/system/cpu/present r
/tmp rwcd
/usr
/usr/bin/mutt rx
/usr/bin/qpdfview x
/usr/bin/vlc x
/usr/lib64 rx
/usr/local
/usr/share r
/usr/src h
/var h
/var/cache h
/var/cache/fontconfig r
/var/tmp rwcd
-CAP_ALL
bind 0.0.0.0/32:0 dgram ip
diff -u30 ./grsec_170322_g0n_00 ./grsec_170325_g0n_00
- Code: Select all
--- ./grsec_170322_g0n_00 2017-03-22 11:56:18.000000000 +0100
+++ ./grsec_170325_g0n_00 2017-03-25 12:52:06.000000000 +0100
@@ -6982,61 +6982,61 @@
/proc/slabinfo h
/proc/sys h
/sys h
/sys/devices/system/cpu
/usr h
/usr/bin h
/usr/bin/mplayer rx
/usr/lib64 rx
/usr/share r
/var h
/var/cache h
/var/cache/fontconfig r
/var/www h
/var/www/localhost h
/var/www/localhost/htdocs r
/var/www/localhost/htdocs/CroatiaFidelis r
/var/www/localhost/htdocs/CroatiaFidelis/foss r
/var/www/localhost/htdocs/CroatiaFidelis/foss/cap rwc
-CAP_ALL
bind 0.0.0.0/32:0 dgram ip
connect 192.168.2.0/24:80 stream tcp
connect 127.0.0.1/32:53 dgram udp
sock_allow_family ipv6
# Role: miro
subject /usr/bin/mpv o
/ h
/Cmn r
/Cmn/Kaff rwc
/Cmn/dLo rwc
- /Cmn/mr rwc
+ /Cmn/mr* rwc
/dev h
/dev/dri h
/dev/dri/card0 rw
/dev/null r
/dev/snd rw
/dev/urandom r
/dev/zero rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/passwd h
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home
/home/miro rwc
/lib64 rx
/lib64/modules h
/mnt h
/mnt/sd?1 r
/mnt/g* r
/mnt/H* r
/mnt/sr* r
/proc
/proc/bus h
/proc/cpuinfo r
/proc/kallsyms h
@@ -8517,60 +8517,61 @@
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home
/home/miro rwcd
/home/miro/.cache rwcdl
/lib64 rx
/lib64/modules h
/proc
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/meminfo r
/proc/modules h
/proc/slabinfo h
/proc/sys h
/sys h
/sys/devices/system/cpu/online r
/tmp rwcd
/usr
/usr/bin
/usr/bin/xdg-open x
/usr/lib64 rxwc
/usr/share r
/usr/src h
/var h
/var/cache/fontconfig rw
+ /var/www/localhost/htdocs rwcd
-CAP_ALL
bind disabled
connect disabled
sock_allow_family unix inet
# Role: miro
subject /usr/lib64/node_modules/npm/bin/npm-cli.js o
/ h
/bin h
/bin/env x
/etc h
/etc/ld.so.cache r
/lib64 h
/lib64/ld-2.23.so x
/lib64/libc-2.23.so rx
/usr h
/usr/bin/env x
/usr/bin/node x
/usr/lib64/locale/locale-archive r
/usr/lib64/node_modules/npm/bin/npm-cli.js rx
-CAP_ALL
bind disabled
connect disabled
sock_allow_family unix inet
# Role: miro
subject /usr/lib64/python-exec/python2.7/getmail o
/ h
/dev h
/dev/tty rw
diff -u30 ./grsec_170325_g0n_00 ./grsec_170401_g0n_00
- Code: Select all
--- ./grsec_170325_g0n_00 2017-03-25 12:52:06.000000000 +0100
+++ ./grsec_170401_g0n_00 2017-04-01 22:43:14.760275379 +0200
@@ -642,61 +642,60 @@
/Cmn/gX* rwxcd
/Cmn/m* rwxcd
/bin rx
/sbin rx
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/dev/tty rw
/dev/urandom r
/etc rx
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/export h
/export/data
/export/home
/home h
/home/miro rx
/lib64 rx
/lib64/firmware h
/lib64/firmware/radeon
/lib64/modules h
/mnt r
- /mnt r
/mnt/g* rwxcd
/mnt/H* rwxcd
/opt
/opt/icedtea-bin-*/bin/java x
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/root rxcdl
/run rd
/run/dhcpcd r
/sys
/sys/fs/cgroup
/tmp rwcd
/usr
/usr/bin rx
/usr/include r
/usr/lib64 rx
/usr/libexec rx
/usr/local r
/usr/local/bin rx
/usr/sbin rx
/usr/share r
/usr/src rx
/usr/x86_64-pc-linux-gnu
/usr/x86_64-pc-linux-gnu/binutils-bin x
/usr/x86_64-pc-linux-gnu/gcc-bin x
diff -u30 ./grsec_170401_g0n_00 ./grsec_170403_g0n_02
- Code: Select all
--- ./grsec_170401_g0n_00 2017-04-01 22:43:14.760275379 +0200
+++ ./grsec_170403_g0n_02 2017-04-03 14:24:12.713483680 +0200
@@ -2942,61 +2942,62 @@
/ h
/bin x
/dev r
/dev/null w
/dev/tty rw
/etc h
/etc/X11
/etc/X11/xinit rx
/etc/ld.so.cache r
/lib64 rx
/lib64/modules h
/proc h
/proc/meminfo r
/root
/tmp rwcd
/usr h
/usr/bin rx
/usr/lib64 h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/share
/usr/share/locale/locale.alias r
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
sock_allow_family unix inet
# Role: root
subject /usr/bin/sudo o
-group_transition_allow nobody root
+#user_transition_allow root nobody
+group_transition_allow root nobody
/ h
/bin h
/bin/bash xwcd
/bin/touch rwc
/bin/mkdir x
/dev h
/dev/console
/dev/log rw
/dev/pts
/dev/tty rw
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow- h
/etc/passwd r
/etc/ssh h
/etc/sudoers r
/etc/sudoers.d r
/lib64 rx
/lib64/modules h
/proc
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/run rwcd
/usr h
@@ -4449,63 +4450,64 @@
sock_allow_family unix inet
# Role: root
subject /usr/sbin/tcpdump o
user_transition_allow root tcpdump nobody miro
group_transition_allow root tcpdump nobody miro
/ h
/Cmn rwc
/etc h
/etc/ld.so.cache r
/etc/localtime r
/etc/nsswitch.conf r
/etc/passwd r
/etc/services r
/lib64 rx
/lib64/modules h
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/sys h
/sys/class h
/sys/class/net
/sys/devices h
/sys/devices/pci0000:00 h
/sys/devices/pci0000:00/0000:00:15.0/0000:05:00.0/net/eth0/ifindex
/sys/devices/pci0000:00/0000:00:15.1/0000:06:00.0/net/eth1/ifindex
/sys/devices/virtual h
- /sys/devices/virtual/net/dummy0/ifindex
- /sys/devices/virtual/net/lo/ifindex
- /sys/devices/virtual/net/sit0/ifindex
+ /sys/devices/virtual/net r
+# /sys/devices/virtual/net/dummy0/ifindex
+# /sys/devices/virtual/net/lo/ifindex
+# /sys/devices/virtual/net/sit0/ifindex
/usr h
/usr/lib64 rx
/usr/sbin h
/usr/sbin/tcpdump rx
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SETPCAP
+CAP_NET_ADMIN
+CAP_NET_RAW
bind disabled
connect disabled
sock_allow_family unix inet netlink
# Role: root
subject /usr/sbin/tripwire o
user_transition_allow root
group_transition_allow root
/
/boot r
/bin rx
/dev
/dev/grsec h
/dev/kmem h
/dev/log rw
/dev/port h
/etc r
/home
/home/miro rwcd
/lib rx
@@ -4828,95 +4830,96 @@
-CAP_ALL
+CAP_DAC_READ_SEARCH
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 ip dgram stream tcp udp
connect 127.0.0.1/32 ip dgram stream tcp udp
connect 192.168.1.1/32:53 dgram udp
connect 195.29.150.0/24 ip dgram stream tcp udp
connect 178.218.165.68/32 ip dgram stream tcp udp
sock_allow_family all
# Role: postfix
subject /usr/sbin/postsuper o
user_transition_allow root
group_transition_allow root
/ h
/var/spool/postfix wd
-CAP_ALL
bind disabled
connect disabled
role qemu ul
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
role qemu gl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
-role tcpdump u
-subject / o
- / h
- -CAP_ALL
- bind disabled
- connect disabled
-
-# Role: tcpdump
-subject /usr/sbin/tcpdump o
-user_transition_allow miro root nobody tcpdump
-group_transition_allow miro root nobody tcpdump
- / h
- /Cmn rwc
- /etc h
- /etc/host.conf r
- /etc/hosts r
- /etc/ld.so.cache r
- /etc/resolv.conf r
- /lib64 h
- /lib64/libnss_dns-2.23.so rx
- /lib64/libresolv-2.23.so rx
- /lib64/libresolv.so.2 rx
- /proc r
- /proc/bus h
- /proc/kallsyms h
- /proc/kcore h
- /proc/modules h
- /proc/slabinfo h
- /proc/sys h
- /usr h
- /usr/sbin/tcpdump rx
- -CAP_ALL
- +CAP_DAC_OVERRIDE
- bind 0.0.0.0/32:0 dgram ip
- connect 127.0.0.1/32:53 dgram udp
+role tcpdump ul
+user_transition_allow root nobody tcpdump miro
+group_transition_allow root nobody tcpdump miro
+
+role tcpdump gl
+user_transition_allow root nobody tcpdump miro
+group_transition_allow root nobody tcpdump miro
+
+## Role: tcpdump
+#subject /usr/sbin/tcpdump o
+#user_transition_allow root nobody tcpdump miro
+#group_transition_allow root nobody tcpdump miro
+# / h
+# /Cmn rwc
+# /etc h
+# /etc/host.conf r
+# /etc/hosts r
+# /etc/ld.so.cache r
+# /etc/resolv.conf r
+# /lib64 h
+# /lib64/libnss_dns-2.23.so rx
+# /lib64/libresolv-2.23.so rx
+# /lib64/libresolv.so.2 rx
+# /proc r
+# /proc/bus h
+# /proc/kallsyms h
+# /proc/kcore h
+# /proc/modules h
+# /proc/slabinfo h
+# /proc/sys h
+# /usr h
+# /usr/sbin/tcpdump rx
+# -CAP_ALL
+# +CAP_DAC_OVERRIDE
+# bind 0.0.0.0/32:0 dgram ip
+# connect 127.0.0.1/32:53 dgram udp
role miro u
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
role_allow_ip 0.0.0.0/32
# Role: miro
subject /
/ h
/Cmn r
/Cmn/Kaff rwxcd
/Cmn/MyVideos rwxcd
/Cmn/dLo rwxcd
/Cmn/gX* rwxcd
/Cmn/m* rwxcd
/Cmn/src* rwxcd
/bin rx
/boot h
/dev
/dev/grsec h
/dev/kmem h
/dev/kvm r
/dev/log h
/dev/mapper h
/dev/mapper/Msy
/dev/mem h
/dev/net r
/dev/net/tun rwx
/dev/null rw
/dev/port h
/dev/ptmx rw
diff -u30 ./grsec_170403_g0n_02 ./grsec_170404_g0n_00
- Code: Select all
--- ./grsec_170403_g0n_02 2017-04-03 14:24:12.713483680 +0200
+++ ./grsec_170404_g0n_00 2017-04-04 19:21:56.000000000 +0200
@@ -541,61 +541,61 @@
bind disabled
connect disabled
role portage u
role_allow_ip 0.0.0.0/32
# Role: portage
subject /
/ h
/bin/bash x
/usr/bin/wget x
-CAP_ALL
bind disabled
connect disabled
# Role: portage
subject /bin/bash o
/
/Cmn
/Cmn/Kaff rwxcd
/bin x
# /bin/bash x
# /bin/rm x
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null w
/dev/port h
/dev/tty rw
- /etc h
+ /etc r
/etc/ld.so.cache r
/lib64 rx
/lib64/modules h
/proc h
/proc/meminfo r
/root
/usr h
/usr/lib64/gconv/gconv-modules.cache r
/usr/lib64/locale/locale-archive r
/usr/portage wc
/usr/share/info r
-CAP_ALL
bind disabled
connect disabled
# Role: portage
subject /bin/rm o
/ h
/bin h
/bin/rm x
/etc h
/etc/ld.so.cache r
/lib64 h
/lib64/ld-2.*.so x
/lib64/libc-2.*.so rx
/usr h
/usr/lib64/locale/locale-archive r
/usr/portage wd
-CAP_ALL
bind disabled
@@ -706,64 +706,64 @@
/var/spool
/var/spool/postfix r
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_FOWNER
+CAP_KILL
bind disabled
connect disabled
# Role: root
subject /bin/bash o
/
/Cmn wc
/Cmn/gX* rwxcdl
/Cmn/Kaff rwxcd
/bin x
/boot h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null rw
/dev/port h
/dev/tty rw
/etc r
/etc/X11 r
/etc/X11/chooser.sh x
- /etc/bash h
- /etc/bash/bash_logout r
- /etc/bash/bashrc r
- /etc/bash/bashrc.d
+ /etc/bash r
+# /etc/bash/bash_logout r
+# /etc/bash/bashrc r
+# /etc/bash/bashrc.d
/etc/cron.hourly
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/init.d rwx
/etc/java-config-2 h
/etc/java-config-2/current-system-vm rx
/etc/mactab w
/etc/postfix wc
/etc/profile.d
/etc/profile.d/java-config-2.sh r
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/etc/terminfo
/etc/terminfo/l/linux r
/etc/terminfo/r/rxvt-unicode r
/export rwxcd
/home
/home/miro rw
/lib64 rx
/lib64/modules h
/mnt
/opt
/opt/cin x
/opt/icedtea-bin-* rx
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
In the next post, after I have done a number of tcpdump network traces, I will give what grsecurity learned from those, along with the diff with the new tcpdump-learned policy.
I'll post it regardless that this issue was now solved, or that this issue still remained open.