grsecurity forums

Skip to content

chroot+grsec newbie question

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

chroot+grsec newbie question

Postby Barton » Thu Oct 11, 2007 6:16 am

I installed Debian etch, patched(grsec),compiled,installed 2.6.22.9 kernel with the following settings :
orion:/usr/src/linux# cat .config | grep CONFIG_GRKERNSEC_
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=112
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
# CONFIG_GRKERNSEC_CHROOT_CHDIR is not set
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
CONFIG_GRKERNSEC_EXECVE=y
# CONFIG_GRKERNSEC_SHM is not set
# CONFIG_GRKERNSEC_DMESG is not set
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
orion:/usr/src/linux# uname -a
Linux orion 2.6.22.9-grsec #3 SMP Mon Oct 8 14:19:33 CEST 2007 i686 GNU/Linux

Compiled, installed apache 2.2.6+php 5.2.4+openssl 0.9.8e+oracle instant client 10.2.0.3 in a chrooted environment. It is working! Tried to teach witch gradm(latest) -F -L teaching.log. Did not help!

Now I have :

orion:/var/log# cat /etc/grsec/acl
role admin sA
subject / rvka
/ rwcdmlxi

role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}

role root uG
role_transitions admin
role_allow_ip 0.0.0.0/32
role_allow_ip 10.131.115.2/32
subject / {
/ h
/dev h
/dev/initctl
/etc h
/etc/cron.d
/etc/crontab
/sbin h
/sbin/gradm x
/var h
/var/spool/cron/crontabs
-CAP_ALL
bind disabled
connect disabled
}

subject /sbin/dhclient3 o {
/ h
-CAP_ALL
bind disabled
connect 10.131.112.4/32:67 dgram udp
}

subject /usr/sbin/ntpd o {
/ h
-CAP_ALL
bind disabled
connect 10.131.0.4/32:123 dgram udp
}

role daemon u
role_allow_ip 10.131.115.2/32
subject / {
/ h
-CAP_ALL
bind disabled
connect disabled
}

subject /jail/httpd/usr/local/apache2/bin/httpd o {
/ h
/jail/httpd rxw
-CAP_ALL
bind 0.0.0.0/32:0 dgram ip
bind 127.0.0.1/32:0 dgram udp
connect 10.131.112.4/32:53 dgram udp
connect 10.131.1.15/32:1521 stream tcp
}



When I turn on grsecurity with gradm it just produce the following errors :

Oct 11 12:14:36 orion kernel: [ 4827.130479] grsec: (default:D:/) denied open of /jail/httpd/usr/local/apache2/logs/php_error.log for appending by /jail/httpd/usr/local/apache2/bin/httpd[httpd:5201] uid/euid:1/1 gid/egid:0/0, parent /jail/httpd/usr/local/apache2/bin/httpd[httpd:5196] uid/euid:0/0 gid/egid:0/0
Oct 11 12:14:36 orion kernel: [ 4827.140998] grsec: (default:D:/) denied executable mmap of /jail/httpd/lib/tls/i686/cmov/libnss_dns.so.2 by /jail/httpd/usr/local/apache2/bin/httpd[httpd:5201] uid/euid:1/1 gid/egid:0/0, parent /jail/httpd/usr/local/apache2/bin/httpd[httpd:5196] uid/euid:0/0 gid/egid:0/0
Oct 11 12:14:36 orion kernel: [ 4827.150670] grsec: (default:D:/) denied open of /jail/httpd/usr/local/apache2/logs/php_error.log for appending by /jail/httpd/usr/local/apache2/bin/httpd[httpd:5201] uid/euid:1/1 gid/egid:0/0, parent /jail/httpd/usr/local/apache2/bin/httpd[httpd:5196] uid/euid:0/0 gid/egid:0/0
Oct 11 12:14:36 orion kernel: [ 4827.150761] grsec: (default:D:/) denied open of /jail/httpd/usr/local/apache2/logs/php_error.log for appending by /jail/httpd/usr/local/apache2/bin/httpd[httpd:5201] uid/euid:1/1 gid/egid:0/0, parent /jail/httpd/usr/local/apache2/bin/httpd[httpd:5196] uid/euid:0/0 gid/egid:0/0

I think the problem is in connection with that FS rights ...

orion:/jail/httpd/usr/local/apache2/logs# ls -la
total 84
drwxrwxrwt 2 root root 120 2007-10-11 12:14 .
drwxrwxrwt 13 root root 153 2007-10-10 08:54 ..
-rw-r--r-- 1 root root 3660 2007-10-11 12:17 access_log
-rw-r--r-- 1 root root 310 2007-10-11 12:14 apache_error_log
-rw-r--r-- 1 root root 13197 2007-10-11 12:14 error_log
-rw-r--r-- 1 root root 5 2007-10-11 12:14 httpd.pid
-rw-r--r-- 1 daemon daemon 1764 2007-10-11 12:16 php_error.log
-rw-r--r-- 1 root root 3936 2007-10-11 12:17 ssl_request_log

orion:/jail/httpd/usr/local/apache2/logs# ps -ef | grep http
root 4226 1 0 10:55 ? 00:00:00 /sbin/syslogd -a /jail/httpd/dev/log
root 5196 1 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5197 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5198 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5199 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5200 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5201 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5202 5196 0 12:14 ? 00:00:00 /usr/local/apache2/bin/httpd
daemon 5240 5196 0 12:17 ? 00:00:00 /usr/local/apache2/bin/httpd


Would someone be so kind as to help me!
Barton
 
Posts: 2
Joined: Thu Oct 11, 2007 5:53 am
Top

Postby spender » Thu Oct 11, 2007 8:23 pm

When you enabled learning, did you enable it at the same point at which you enabled the new policy based on learning? Meaning, at each time (whether learning was being enabled, or the real policy) was apache in the same state?

I notice that the denied logs are against uid 1, but your policy only has a role for root, which is why it's getting stuck with the default role. If you can mail me your (compressed) learning log, I can find out if it's a problem with grsecurity, or if it was the above problem with learning.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby Barton » Fri Oct 12, 2007 3:01 am

Thank you for your answer!
I was a little bit confused by the quickstart guide!

Now I put all my "new" settings into /etc/grsec/policy file and seems to be OK!

Like this :

role daemon u
subject / o {
/ h

-CAP_ALL

bind disabled
connect disabled
}

subject /jail/httpd/usr/local/apache2/bin/httpd dpo {
/ h

/jail/httpd/
/jail/httpd/dev/log rw
/jail/httpd/dev/urandom r
/jail/httpd/etc r
/jail/httpd/tmp rwcd
/jail/httpd/lib rx
/jail/httpd/usr/lib rx
/jail/httpd/usr/local
/jail/httpd/usr/local/apache2 r
/jail/httpd/usr/local/apache2/cgi-bin rx
/jail/httpd/usr/local/lib r
/jail/httpd/usr/local/apache2/logs rwcd
/jail/httpd/usr/local/apache2/sessions rwcd
-CAP_ALL
}

I have to modify the deafult settings in order to be as paranoid as it can be!

Anyway thnx again! :wink:
Barton
 
Posts: 2
Joined: Thu Oct 11, 2007 5:53 am
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group