grsecurity forums

[ThomasKeller]

when I mount /home while RBAC is enabled, the files on the mounted /home are being blocked by RBAC, even if the rules allow access.

With same RBAC policy, when I mount /home before RBAC, then everything works fine

step to reproduce:

1) login to my server (RBAC is already running)
2) gradm -a admin
3) mount /home

4) login from another terminal
5) su - testuser

and I get following errors in the logs:

grsec: (testuser:U:/bin/bash) denied access to hidden file /home/testuser by /bin/bash[bash:2315] uid/euid:1001/1001 gid/egid:1001/1001, parent /bin/bash[bash:2312] uid/euid:1001/1001 gid/egid:1001/1001
grsec: (testuser:U:/bin/bash) denied access to hidden file /home/testuser by /bin/bash[bash:2312] uid/euid:1001/1001 gid/egid:1001/1001, parent /bin/su[su:2311] uid/euid:0/0 gid/egid:1001/1001
grsec: (testuser:U:/bin/bash) denied access to hidden file /home/testuser/.profile by /bin/bash[bash:2312] uid/euid:1001/1001 gid/egid:1001/1001, parent /bin/su[su:2311] uid/euid:0/0 gid/egid:1001/1001

It seems that funny things happen with RBAC when mounting and remounting. I have already reported before, that symlinks stop working when I remount filesystem to read-only:
viewtopic.php?f=3&t=4191

I am using gradm v3.1 with kernel 3.14.40

I really need to fix this problem.
Can somebody please help me troubleshoot this?
I will be happy to provide more information

[spender]

Mounting while RBAC is enabled is not currently supported.

-Brad

[ThomasKeller]

thanks Brad.

Are there plans to make it supported in the near future ?

Also, does this explain the other mentioned problem, where remounting / to read-only messes up symlinks ?

And finally, is only "mount" unsupported or anything that mounts (i.e. using fuse)?
What about sshfs ?