I'm trying to make secure policy - config http://pastebin.com/6QWFLWL5
There are following lines:
dont-reduce-path /home
read-protected-path /home
high-protected-path /home
but policy is missing /home and many other directories in many subjects and /home remains accessible
# Role: root
subject /bin/cut o {
/ h
/bin/cut x
/dev h
/etc/ld.so.cache r
/lib64/ld-2.14.1.so x
/lib64/libc-2.14.1.so rx
/mnt h
/mnt/md3 h
/proc h
-CAP_ALL
bind disabled
connect disabled
}
unsecure policy
4 posts
• Page 1 of 1
Re: unsecure policy
by spender » Sun Jul 22, 2012 11:20 am
I don't see anything wrong with that policy for /bin/cut (not /bin/cat btw). It has / h, which would match /home. This is why it doesn't need a separate, duplicate object.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: unsecure policy
by KDE » Sun Jul 22, 2012 12:44 pm
You are right. It works. I tested it again. It didn't work during my previous test for some reason.
I found something else. /dev and /etc are included in read/high-protected-path, but there are no modes.
# Role: root
subject /bin/cat o {
/ h
/bin h
/bin/cat x
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/port h
/etc
I found something else. /dev and /etc are included in read/high-protected-path, but there are no modes.
# Role: root
subject /bin/cat o {
/ h
/bin h
/bin/cat x
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/port h
/etc
- KDE
- Posts: 57
- Joined: Sat Feb 09, 2008 5:29 am
Re: unsecure policy
by spender » Sun Jul 22, 2012 4:15 pm
That policy is fine also. read-protected-path does exactly what the documentation says: creates subjects for binaries that access a certain path for reading. In the policy you pasted, there's no read access to /dev, just 'find' access. 'find' access only allows the ability to see the file and stat it, but no reading/writing/executing/etc.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
4 posts
• Page 1 of 1