grsecurity forums

[`VL]

I`m getting such message in logs:

Mar 9 13:46:53 bastion grsec: (root:U:/sbin/shutdown) denied unlink of /var/run/shutdown.pid by /sbin/shutdown[shutdown:27564] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4883] uid/euid:0/0 gid/egid:0/0


ACL for shutdown is:

subject /bin/bash:/sbin/shutdown {
/

/dev/log rw
/dev/initctl rw
/dev/tts rw

/sbin/init x
/var/run
/var/run/shutdown.pid rwcdl
/var/run/utmp rwcdl

/proc r
-CAP_ALL
+CAP_SETUID
+CAP_SETGID
bind disabled
connect disabled
}

as i understand, /var/run/shutdown.pid should be ok to delete. am i right?

[spender]

Is there any difference in the message if the /sbin/shutdown subject isn't nested? (Perhaps there's some indirection between execution of bash and shutdown which isn't represented in the log)

-Brad

[`VL]

yes, difference exists:

here is 1st policy for shutdown:

Code: Select all

 cat shutdown_nested
subject /etc/init.d/shutdown.sh:/sbin/halt {
        /       rwx
        +CAP_ALL
}

subject /bin/bash:/sbin/shutdown {
        /

        /dev/vc         w
        /dev/log        rw
        /dev/initctl    rw
        /dev/tts        rw

        /bin/bash       x

        /sbin/init      x
        /var/run
  /var/run/shutdown.pid   rwcdl
        /var/run/utmp           rwcdl

        /proc           r
        -CAP_ALL
        +CAP_SETUID
        +CAP_SETGID
        +CAP_SYS_TTY_CONFIG
        bind disabled
        connect disabled
}


# actually this is telinit, run from shutdown to conrol real init
subject /bin/bash:/sbin/shutdown:/sbin/init o {
        /       rwcdlxi
        -CAP_ALL
        +CAP_SYS_TTY_CONFIG
}


This gives me:

Code: Select all

Apr  2 00:14:39 bastion grsec: (root:U:/sbin/shutdown) denied unlink of /var/run/shutdown.pid by /sbin/shutdown[shutdown:5608] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:27748] uid/euid:0/0 gid/egid:0/0


Here is 2nd policy, without nested subjects:

Code: Select all

cat shutdown_simple
subject /etc/init.d/shutdown.sh:/sbin/halt {
        /       rwx
        +CAP_ALL
}

subject /sbin/shutdown {
        /

        /dev/vc         w
        /dev/log        rw
        /dev/initctl    rw
        /dev/tts        rw

        /bin/bash       x

        /sbin/init      x
        /var/run
        /var/run/shutdown.pid   rwcdl
        /var/run/utmp           rwcdl

        /proc           r
   -CAP_ALL
        +CAP_SETUID
        +CAP_SETGID
        +CAP_SYS_TTY_CONFIG
        bind disabled
        connect disabled
}


# actually this is telinit, run from shutdown to conrol real init
subject /sbin/shutdown:/sbin/init o {
        /       rwcdlxi
        -CAP_ALL
        +CAP_SYS_TTY_CONFIG
}


And with such i get:

Code: Select all

Apr  2 00:22:26 bastion grsec: (root:U:/sbin/shutdown) denied open of /etc/nsswitch.conf for reading by /sbin/shutdown[shutdown:7454] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:21965] uid/euid:0/0 gid/egid:0/0
Apr  2 00:22:26 bastion grsec: (root:U:/sbin/shutdown) denied open of /etc/nsswitch.conf for reading by /sbin/shutdown[shutdown:7454] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:21965] uid/euid:0/0 gid/egid:0/0
Apr  2 00:22:26 bastion grsec: (root:U:/sbin/shutdown) denied open of /etc/passwd for reading by /sbin/shutdown[shutdown:7454] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:21965] uid/euid:0/0 gid/egid:0/0
Apr  2 00:22:26 bastion grsec: (root:U:/sbin/shutdown) denied open of /etc/passwd for reading by /sbin/shutdown[shutdown:7454] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:21965] uid/euid:0/0 gid/egid:0/0


(no messages about shutdown.pid and they are not suppressed - i compiled kernel that allows a lot of grsec messages to be logged)

P.S. i added permissions for specified files in logs and no more messages were shown in this case, i.e. policy without nesting works ok.