RES_* issue

Submit your RBAC policies or suggest policy improvements

RES_* issue

Postby Kyoshiro » Sun Jan 16, 2005 9:41 am

I've noticed a problem with RES_* access controls. It seems to mess with other ACLs.

For example, I try to contact a ldap server in admin role. In each case ldapsearch works correctly in default mode and pam_ldap too. Then it's not a ldap config issue.I have this policy for admin role :

Code: Select all
role admin sA
subject / rk {
        / rwcdmxil
        +CAP_ALL
         RES_FILES unlimited unlimited
}


With these rules,in admin role :
- ldapsearch on a remote ldap server => unable to contact server. In fact I receive nothing on the ldap server and strace tells me that connect is in state -EINPROG, in progress. But the ldapsearch is doing a select on -1 fd, => -EINVAL. No grsecurity logs.
- telnet/nc remote ldap server make through it

When I add the learning mode to subject /, ldapsearch works fine and the learning log says someting like :
Code: Select all
admin   72      0       0       /usr/bin/ldapsearch     /       u       -1      0       0       xxx.xxx.xxx.xxx
admin   72      0       0       /usr/bin/ldapsearch     /       g       -1      0       0       xxx.xxx.xxx.xxx


If I remove the learning mode and any RES_*, ldapsearch is ok in admin role.
Kyoshiro
 
Posts: 20
Joined: Thu Aug 12, 2004 5:45 pm

Postby Kyoshiro » Mon Jan 17, 2005 3:59 pm

In fact it seems related to "unlimited" keywords...
Kyoshiro
 
Posts: 20
Joined: Thu Aug 12, 2004 5:45 pm

Postby spender » Mon Jan 17, 2005 6:25 pm

Is it only with RES_FILES or with any of the resource limits? Can you trigger the problem with any other application that you could give me an strace of?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Kyoshiro » Tue Jan 18, 2005 8:05 am

Sorry it was RES_NOFILE and not RES_FILES but I suppose you understood ;).

In fact the problem is related to "unlimited" keyword and I'm now sure of it. I put in the default subject of a role the object : RES_NPROC unlimited unlimited. The result was I couldn't even authenticate to that role. GrSec logs says :
special role test failure for /sbin/gradm[gradm:7499] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:28423] uid/euid:0/0 gid/egid:0/0


When I remove the RES_NPROC line, everything's Ok. (And I'm sure I put the correct password about 10 times :p). This makes me think grsec RBAC replaces unlimited with 0.

If you still need the strace of the ldapsearch process I can give it to you. If I use netcat to connect to the ldap server, it works fine. I suppose ldapsearch doesn't behave like netcat. What's strange is that sockets should be limited by RES_NOFILE then...
Kyoshiro
 
Posts: 20
Joined: Thu Aug 12, 2004 5:45 pm

Postby spender » Tue Jan 18, 2005 11:22 am

I'm unable to reproduce your problem. I'm certain grsec doesn't set the resource limits to 0 if you specify unlimited in your config, but you can verify it by setting your RES_NOFILE limit with ulimit -n 30, and then enable your policy that has RES_NOFILE unlimited unlimited, and after gradm -E, run ulimit -n to check your current limit. It should say unlimited.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Kyoshiro » Tue Jan 18, 2005 1:48 pm

Okay, I'll try that. Anyway, we'll install the beta version soon, and maybe the problem will no more exist ;). I hope 8)
Kyoshiro
 
Posts: 20
Joined: Thu Aug 12, 2004 5:45 pm


Return to RBAC policy development

cron