grsecurity forums

by **rom2mars** » Thu Jun 05, 2014 8:23 am

Hello,

Sometimes, I have a problem, when I try to mount my usb key (error : denied access to hidden file /media by /bin/mount).

First, when I start RBAC I have this warning :

Code: Select all: [root@iKPA-Secure grsec]# gradm -E Warning: In role shutdown subject /bin/bash, pathname "/etc/init.d/stopRbac.sh": A writable and symlinked directory "/etc/init.d" points to "/etc/rc.d/init.d". Warning: In role shutdown subject /etc/init.d/gradm, pathname "/etc/init.d/gradm": A writable and symlinked directory "/etc/init.d" points to "/etc/rc.d/init.d". Warning: object does not exist in role root, subject /etc/init.d/igc for the target of the symlink object /etc/init.d specified on line 1548 of /etc/grsec/policy. Warning: object does not exist in role root, subject /bin/mount for the target of the symlink object /sys/dev/block/8:17 specified on line 1171 of /etc/grsec/policy.

Occasionally, I have this error when I try to mount usb key :

Code: Select all: Jun 5 13:35:57 localhost kernel: [86273.473450] grsec: (root:U:/bin/mount) denied access to hidden file /media by /bin/mount[mount:21406] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sudo[sudo:21399] uid/euid:0/0 gid/egid:500/500

My policy related to mount :

Code: Select all: # Role: root subject /bin/mount o { / h /bin h /bin/mount rx /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null rw /dev/port h /dev/sdb1 r /etc rwcdl /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/ppp h /etc/samba/smbpasswd h /etc/shadow h /etc/shadow- h /etc/ssh h /lib rxi /lib/modules h /media crdwrl /proc h /proc/filesystems r /selinux /sys h /sys/dev/block/8:17 /sys/devices r /usr h /usr/lib rxi /usr/share h /usr/share/locale r -CAP_ALL +CAP_SYS_ADMIN bind disabled connect disabled sock_allow_family unix inet }

Also I have other errors :

Code: Select all: Jun 5 13:38:50 localhost kernel: [86446.735349] grsec: (romain:U:/home/romain/Bin/Compilateur) denied access to hidden file /tmp by /home/romain/Bin/Compilateur[Compilateur:21588] uid/euid:500/500 gid/egid:500/500, parent /bin/bash[bash:13895] uid/euid:500/500 gid/egid:500/500 Jun 5 13:39:59 localhost kernel: [86515.605296] grsec: (romain:U:/home/romain/Bin/Compilateur) denied access to hidden file /home by /home/romain/Bin/Compilateur[Compilateur:21603] uid/euid:500/500 gid/egid:500/500, parent /bin/bash[bash:13895] uid/euid:500/500 gid/egid:500/500

However I have this policies :

Code: Select all: # Role: romain subject /home/romain/Bin/Compilateur o { / h /dev h /dev/urandom r /etc h /etc/ld.so.cache r /etc/localtime r /home /home/romain rxwcd /lib rx /lib/modules h /proc /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/sys h /tmp cdrwx /usr h /usr/lib rx /var h /var/log/romain rw /var/tmp rw -CAP_ALL bind disabled connect disabled sock_allow_family unix inet }

Thanks in advance for your help,

Sorry for my english.

Regards,
Romain

by **spender** » Thu Jun 05, 2014 11:24 am

Runtime mounting is not currently supported under RBAC.

For the other error, the log clearly shows the error being involved with the "igc" role, but you pasted policy from the role "romain".

-Brad

by **rom2mars** » Wed Jun 11, 2014 5:07 am

Thank you for your reply.

I understand, the user will disable RBAC when he need to use usb key. Or I will create a script which : disable Rbac, mount usb key, and enable Rbac.

For the other error, I'm embarrassed, I have introduce when I wrote this message.

For confidential reason I must replace rôle name.

For this reason I have corrected my previous post.
Sorry for my english.

Regards,
Romain

grsecurity forums

Denied access to hidden file /media

Denied access to hidden file /media

Re: Denied access to hidden file /media

Re: Denied access to hidden file /media