simple acl

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

simple acl

Postby lexa » Wed Mar 09, 2005 1:53 am

I use default policy from gradm2
and acl:

role default
subject / {
/ h
/dev
/dev/log rw
/usr/bin/logger x
/lib x
/usr/bin x
/bin x
/sbin x
-CAP_ALL
connect disabled
bind disabled
}

role root ugG
role_allow_ip 0.0.0.0/32
subject / {
/ h
/dev h
/dev/log rw
/dev/initctl
/proc rh
/var rw
/bin x
/root
/sbin x
/usr x
/usr/bin/logger x
/usr/lib x
-CAP_ALL
bind disabled
connect disabled
}

subject /usr/bin/logger {
/dev h
/dev/log rw
}

subject /bin/bash {
/dev h
/dev/log rw
}

run logger
$logger test

Mar 9 20:50:42 mus kernel: grsec: (default:D:/) denied connect() to the unix domain socket /dev/log by /usr/bin/logger[logger:23881] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23704] uid/euid:0/0 gid/egid:0/0


Please correct me.
lexa
 
Posts: 5
Joined: Fri Mar 04, 2005 12:08 am

Re: simple acl

Postby onyx » Thu Mar 10, 2005 6:38 am

lexa wrote:I use default policy from gradm2
and acl:

[...]

role root ugG
role_allow_ip 0.0.0.0/32
subject / {
/ h
/dev h
/dev/log rw
/dev/initctl
/proc rh
/var rw
/bin x
/root
/sbin x
/usr x
/usr/bin/logger x
/usr/lib x
-CAP_ALL
bind disabled
connect disabled
}

subject /usr/bin/logger {
/dev h
/dev/log rw
}

run logger
$logger test

Mar 9 20:50:42 mus kernel: grsec: (default:D:/) denied connect() to the unix domain socket /dev/log by /usr/bin/logger[logger:23881] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23704] uid/euid:0/0 gid/egid:0/0


Please correct me.
]

Are you running logger as root? Because the subject for logger is under role root, so if you run it as another user, the default role will apply to you.
onyx
 
Posts: 36
Joined: Tue Jan 20, 2004 7:46 pm

Postby lexa » Thu Mar 10, 2005 7:10 am

>Are you running logger as root? Because the subject for logger is under role >root, so if you run it as another user, the default role will apply to you.
Yes. course.


default role also hade /dev/log rw
lexa
 
Posts: 5
Joined: Fri Mar 04, 2005 12:08 am

Postby onyx » Thu Mar 10, 2005 7:15 pm

lexa wrote:>Are you running logger as root? Because the subject for logger is under role >root, so if you run it as another user, the default role will apply to you.
Yes. course.


default role also hade /dev/log rw


under role root:
role_allow_ip 0.0.0.0/32

you should try adding your own ip there
onyx
 
Posts: 36
Joined: Tue Jan 20, 2004 7:46 pm

Postby lexa » Fri Mar 11, 2005 2:27 am

That was the problem!

acl stored in /etc/grsec/policy

but i used /etc/grsec/acl :( :(
Sorry

Thanks a very match



PS. (my english is poor) :(
lexa
 
Posts: 5
Joined: Fri Mar 04, 2005 12:08 am


Return to grsecurity support

cron