grsecurity forums

Skip to content

Strange denials while switching from 2.6.20 to 2.6.21

Submit your RBAC policies or suggest policy improvements
Topic locked

Strange denials while switching from 2.6.20 to 2.6.21

Postby Dwokfur » Wed Jun 27, 2007 12:00 am

I've upgraded recently from 2.6.20-hardened-r2 to 2.6.21-hardened-r3.
Besides my sn9c102 webcam stopped working giving -ENOSPC in usb_submit_urb (aaarrgh - reported upstream), there were some lovely denials showed up.
In the mean time I've added some rules to fine-tune my laptop using the information provided by powertop.
There were denies writing /sys/module/snd_ac97_codec/parameters/power and /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor. First I thought it was a trivial mistake, but I couldn't get rid of these. While shutting down my computer I saw two more denials while the system tried to flush the routing table (/proc/sys/net/ipv4/route/flush - by /sbin/ip). These two were suprising, because I didn't touched that rule. I've double checked the whole policy for missing brackets.
Things got stranger, when I've noticed that one other machine I've upgraded showed exactly similar denials.
Now I booted 2.6.20 again, and saw, that everything is normal! The symptom is absolutely reproducible. Whenever I boot the former kernel the denials disappear, while after booting the latter they return.

My question would be:
Were there any changes regarding the handling of /proc and /sys directories between grsec-2.1.10-2.6.20.6-200704091818 and grsec-2.1.10-2.6.21.1-200705221918?

If not: are there any hints on my problem? I'm using dazuko, which is enabled only on some user's directory and working fine along with clamav's clamuko.

Regards,
Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am
Top

Postby zakalwe » Wed Jun 27, 2007 12:24 pm

There were changes to mainline that made the /proc/sys inodes dynamic. I'm pretty sure spender fixed the rbac breakage in /proc/sys in recent test patches. Perhaps the /sys filesystem is broke in the same way.
zakalwe
 
Posts: 22
Joined: Mon Jul 10, 2006 9:40 am
Top

Postby Dwokfur » Thu Jun 28, 2007 11:21 am

zakalwe wrote:There were changes to mainline that made the /proc/sys inodes dynamic. I'm pretty sure spender fixed the rbac breakage in /proc/sys in recent test patches. Perhaps the /sys filesystem is broke in the same way.


Thanks for your comment.
It would be good to hear Spender's opinion about this.

Regards,
Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am
Top

Postby spender » Thu Jun 28, 2007 4:41 pm

There were changes regarding the handling of /proc/sys which have been fixed in more current patches. I've not heard of any other reports of problems with /sys, but I'll look into it.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby Dwokfur » Sat Jun 30, 2007 11:15 am

spender wrote:There were changes regarding the handling of /proc/sys which have been fixed in more current patches. I've not heard of any other reports of problems with /sys, but I'll look into it.

-Brad


Thx, Brad.

Regards,
Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am
Top
Topic locked

Return to RBAC policy development

Powered by phpBB® Forum Software © phpBB Group
cron