problems with cvs-grsec2 and cvs-gradm2

Submit your RBAC policies or suggest policy improvements

problems with cvs-grsec2 and cvs-gradm2

Postby Oscon » Tue Jul 27, 2004 4:08 am

Hello!

I have few problems with "new" cvs-grsec2(2.4 version) and cvs-gradm2.

It seems...Debian woody 3.0r2+ linux-2.4.26 + cvs grsecurity2 (07.09) + cvs gradm2 (07.09) not work!

gradm -E = Segmentation Fault

The earlier cvs-grsec2 (06.25,06.29) and gradm2 (06.25,06.29) was "good".
Oscon
 
Posts: 44
Joined: Fri Jun 11, 2004 6:32 pm

Postby spender » Tue Jul 27, 2004 8:12 am

try the current gradm2. Several changes were made since 07/09.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Oscon » Tue Jul 27, 2004 8:52 am

spender wrote:try the current gradm2. Several changes were made since 07/09.

-Brad


Hello...!

I did it!, but it seems ...not work...

1. move: I download the "new" gradm2:

cvs -z3 -d :pserver:anonymous@grsecurity.net:/home/cvs co gradm2

2. move: boot the 2.4.26-grsec (grsec2.0.1 from "new" cvs at 07.23.2004 20:02, I disabled all other grsec function. (PaX, TPE, other restrictions).

3. move: make install .... (gradm 2)

4. move: set gradm passwords
It seems...OK!
Code: Select all
osconsfortress:/media/gre1/gradm2# ./gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
osconsfortress:/media/gre1/gradm2# ./gradm -P
Setting up grsecurity RBAC password
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
osconsfortress:/media/gre1/gradm2#


5. move: learnings mode on!...
It seems...OK!
Code: Select all
osconsfortress:/media/gre1/gradm2# ./gradm -F -L /etc/grsec/learning
grsec: (default:D:/media/gre1/gradm2/gradm) Loaded grsecurity 2.0.1
osconsfortress:/media/gre1/gradm2#


...
6. move.: learnings mode off:
It seems...OK!
Code: Select all
osconsfortress:/media/gre1/gradm2# ./gradm -D
Password:
grsec: shutdown auth success for /media/gre1/gradm2/gradm[gradm:1485] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:578] uid/euid:0/0 gid/egid:0/0
osconsfortress:/media/gre1/gradm2


7. move: learnings file to /etc/grsec/policy
It seems...OK!

Code: Select all
osconsfortress:/media/gre1/gradm2# ./gradm -F -L /etc/grsec/learning -O /etc/grsec/policy
Beginning full learning 1st pass...done.
Beginning full learning role reduction...done.
Beginning full learning 2nd pass...done.
Beginning full learning subject reduction for user root...done.
Beginning full learning subject reduction for user oscon...done.
Beginning full learning 3rd pass...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /bin/login...done.
Beginning full learning object reduction for subject /sbin/getty...done.
Beginning full learning object reduction for subject /sbin/init...done.
Beginning full learning object reduction for subject /usr/sbin/gpm...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning final pass...done.
osconsfortress:/media/gre1/gradm2#


8. move: verify syntax of /etc/grsec/policy
It seems...OK!

Code: Select all
osconsfortress:/media/gre1/gradm2# ./gradm -E
Duplicate role on line 236 of /etc/grsec/policy.
The RBAC system will not be allowed to be enabled until this error is fixed.


I fix this duplication...and

9. move: start grsec RBAC...failed...

Code: Select all
osconsfortress:/media/gre1/gradm2# ./gradm -E
Segmentation fault
osconsfortress:/media/gre1/gradm2#
Oscon
 
Posts: 44
Joined: Fri Jun 11, 2004 6:32 pm

Postby spender » Tue Jul 27, 2004 9:12 am

Can you mail your config to spender@grsecurity.net so I can debug it?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Oscon » Tue Jul 27, 2004 11:34 am

spender wrote:Can you mail your config, so I can debug it?

-Brad


I did this.. now...

Thank you!

Oscon
Oscon
 
Posts: 44
Joined: Fri Jun 11, 2004 6:32 pm

Same problem

Postby rocky » Tue Jul 27, 2004 8:24 pm

i'm getting the same problem. using cvs gradm2 and http://grsecurity.net/~spender/grsecuri ... .6.7.patch

this is what kern.log is spitting out.

Jul 27 18:30:34 schwa kernel: grsec: From 192.168.0.5: exec of /sbin/gradm (gradm -E ) by /bin/bash[bash:18028] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23167] uid/euid:0/0 gid/egid:0/0
Jul 27 18:30:34 schwa kernel: grsec: From 192.168.0.5: chdir to /etc/grsec by /sbin/gradm[gradm:18028] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23167] uid/euid:0/0 gid/egid:0/0
Jul 27 18:30:34 schwa kernel: grsec: From 192.168.0.5: signal 11 sent to /sbin/gradm[gradm:18028] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23167] uid/euid:0/0 gid/egid:0/0
Jul 27 18:30:34 schwa kernel: grsec: From 192.168.0.5: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /sbin/gradm[gradm:18028] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23167] uid/euid:0/0 gid/egid:0/0
rocky
 
Posts: 19
Joined: Tue Dec 09, 2003 4:54 am

Postby spender » Wed Jul 28, 2004 1:29 pm

You can't be. That log isn't a log from a 2.0.1 kernel. If it were, it would have the role name, role type, and subject name with each log.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Eien » Wed Jul 28, 2004 4:13 pm

I think the segfault is being issued before the ACLs are enabled.

Based on my reading of the security_alert_good macro in the 2.0.1 patch, the role information is only written if the ACLs have been enabled. (I'm assuming that gr_acl_is_enabled() returns non-zero when the ACLs are enabled and zero when they're not.)

Do you think an strace might help? It might be a bit too much information but it might give us the information we need.
Eien
 
Posts: 5
Joined: Wed Jul 28, 2004 3:50 pm

Postby spender » Wed Jul 28, 2004 5:47 pm

You're right, sorry I didn't recognize that they weren't RBAC-related logs.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby spender » Wed Jul 28, 2004 5:55 pm

The problem has been fixed in current CVS of gradm2.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development

cron