I have a web application with apache2, perl scripts and own database in a protected path, which is the root for a chrooted mini-linux-system (containing all required libraries, binaries, startscripts etc.).
There are four processes relevant to the web app that get started from within the chroot: apache2, mysqld, cron an syslog.
Access to the chroot (/var/approot) is granted only if a special admin RBAC role is assumed by the user logged in, else it is hidden. So the start procedure is login -> sudo su - -> gradm -a admin -> chroot /var/approot bash -> /etc/init.d/servicename start
In the "master" system, I have enabled learning for all required roles by adding "l" to their role modes:
role admin sATl
role mysql uGTl
role httpd uGTl
role default GTl
and started RBAC with gradm -L /root/learn.log -E
The user accounts are synchronized between the "master" and the chrooted system, i.e. both have the same users, groups etc in /etc/passwd.
Now most of the startup does succeed, but the web application server (/var/approot)/usr/sbin/apache2 (running as user httpd) is denied execution of its own binaries contained in the chroot (/var/approot)/app/bin with the denied untrusted exec message by grsec.
The enabled chroot protections are:
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_caps = 1
kernel.grsecurity.chroot_restrict_nice = 1
kernel.grsecurity.chroot_deny_mknod = 1
kernel.grsecurity.chroot_deny_chmod = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_mount = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_deny_shmat = 1
I was of the opinion that with learning enabled on a role the ruleset pertaining to that role is not enforced, but obviously I'm missing something. Could somebody share a hint, pointer with a clueless soul
thx /markus
