/dev/stdout|/dev/stdout in /dev/pts?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

/dev/stdout|/dev/stdout in /dev/pts?

Postby voron » Tue Apr 08, 2008 7:28 pm

Hello
I need to run
mplex -f 8 -o /dev/stdout
In logs I see
Code: Select all
Apr  9 02:00:56 voron [167380.903664] grsec: From 92.49.242.4: (voron:U:/) denied open of /dev/stdout for writing by /usr/bin/mplex[mplex:24847] uid/euid:1000/1000 gid/egid:100/100, parent /home/voron/camcorder/remux2[remux2:24834] uid/euid:1000/1000 gid/egid:100/100

I'm trying to enable rw to /dev/stdin and /dev/stdout in subject /, but I got an error
Code: Select all
gradm -E -L /var/gradm.log
Error on line 105 of /etc/grsec/policy.  Grsecurity does not support fine-grained policy on devpts mounts.
Please change your more fine-grained object to a /dev/pts object.  This will in addition produce a better policy that will not break as unnecessarily.
The RBAC system will not load until this error is fixed.
Here is that line
Code: Select all
head -105 /etc/grsec/policy|tail -1
        /dev/stdin                      rw
Here is my subject /
Code: Select all
role voron u
subject /  {
        /                               s
        /lib                            rx
        /lib/grub                       h
        /lib/iptables                   h
        /lib/modules                    h
        /lib/nut                        h
        /lib/rcscripts                  h
        /lib/security                   h
        /lib/udev                       h
        /var                            hs
        /root                           hs
        /sbin                           hs
        /bin                            rxs
        /dev
        /dev/null                       rw
        /dev/zero                       r
        /dev/snd                        rw
        /dev/urandom                    r
        /dev/pts                        rw
        /dev/stdin                      rw
        /dev/stdout                     rw
        /dev/tty                        rw
        /dev/grsec                      hs
        /dev/mem                        hs
        /dev/kmem                       hs
        /dev/port                       hs
        /dev/log                        hs
        /etc                            r
        /etc/grsec                      hs
        /etc/ssh                        hs
        /etc/shadow                     hs
        /etc/shadow-                    hs
        /etc/gshadow                    hs
        /etc/gshadow-                   hs
        /etc/ppp/chap-secrets           hs
        /etc/ppp/pap-secrets            hs
        /etc/samba/smbpasswd            hs



        /media
        /media/fotik                    rwcd
        /proc                           r
        /proc/kcore                     hs
        /proc/bus                       hs
        /proc/sys                       hs
        /tmp                            rwcdl
        /var/tmp                        rwcdl
        /usr
        /usr/kde                        rx
        /usr/libexec                    rxs
        /usr/qt/3                       rxs
        /usr/bin                        rxs
        /usr/lib                        rxs
        /usr/local
        /usr/opt                        rx
        /usr/share                      rxs
        /var/cache/fontconfig           r
        /usr/src                        hs
        /usr/d1                         hs
        /usr/d2                         hs
        /sys                            hs
        /boot                           hs
        /home                           s
#voron specefic
        /home/voron                     rwcdlx
        /home/*                         hs
        /usr/data                       rwcdl
#       /usr/1data                      rwcdl
        -CAP_ALL
        bind    disabled
#DNS
        connect 0.0.0.0/0:53 dgram udp
#cups
        connect 127.0.0.1/32:631 stream tcp
}
I tried to use /dev/std* rw instead /dev/stdin rw and /dev/stdout rw, then I can enable RBAC, but got another error
Code: Select all
Apr  9 02:34:43 voron [169405.502889] grsec: From 92.49.242.4: (voron:U:/) denied open of /proc/25985/fd/1 for writing by /usr/bin/mplex[mplex:25985] uid/euid:1000/1000 gid/egid:100/100, parent /home/voron/camcorder/remux2[remux2:25972] uid/euid:1000/1000 gid/egid:100/100
voron
 
Posts: 22
Joined: Mon May 29, 2006 8:54 am

Re: /dev/stdout|/dev/stdout in /dev/pts?

Postby cormander » Wed Apr 09, 2008 12:12 pm

Try adding this to your policy:

Code: Select all
        /proc/self/fd   rw


Also, see if the -o switch for that command support "-" as an alias to stdout;

Code: Select all
mplex -f 8 -o -


Not all do, but this could be an easy workaround.

Where does output usually go? stderr? If so, you could always do a shell redirection:

Code: Select all
mplex -f 8 2>&1
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: /dev/stdout|/dev/stdout in /dev/pts?

Postby voron » Wed Apr 09, 2008 3:50 pm

cormander wrote:Try adding this to your policy:

Code: Select all
        /proc/self/fd   rw
no, still same error(denied open of /proc/25985/fd/1 for writing)
cormander wrote:Also, see if the -o switch for that command support "-" as an alias to stdout;

Code: Select all
mplex -f 8 -o -


Not all do, but this could be an easy workaround.
no, got file with name "-", that's not what I want.
voron
 
Posts: 22
Joined: Mon May 29, 2006 8:54 am

Re: /dev/stdout|/dev/stdout in /dev/pts?

Postby spender » Wed Apr 09, 2008 7:23 pm

You'll have to use /proc/*/fd rw since /proc/<pid> inodes are generated at runtime within a pseudofilesystem. As for the initial problem, I imagine /dev/stdout and /dev/stdin are symlinks to an entry in /dev/pts. Does having the following work?

/dev
/dev/pts rw

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: /dev/stdout|/dev/stdout in /dev/pts?

Postby voron » Fri Apr 11, 2008 3:16 pm

spender wrote:You'll have to use /proc/*/fd rw since /proc/<pid> inodes are generated at runtime within a pseudofilesystem.
Yes, now I'm able to write to /dev/stdout, thanks. But I'm still using /dev/std* rw
voron
 
Posts: 22
Joined: Mon May 29, 2006 8:54 am


Return to grsecurity support