grsecurity forums

by **voron** » Tue Apr 08, 2008 7:28 pm

Hello
I need to run
mplex -f 8 -o /dev/stdout
In logs I see

Code: Select all: Apr 9 02:00:56 voron [167380.903664] grsec: From 92.49.242.4: (voron:U:/) denied open of /dev/stdout for writing by /usr/bin/mplex[mplex:24847] uid/euid:1000/1000 gid/egid:100/100, parent /home/voron/camcorder/remux2[remux2:24834] uid/euid:1000/1000 gid/egid:100/100

I'm trying to enable rw to /dev/stdin and /dev/stdout in subject /, but I got an error

Code: Select all: gradm -E -L /var/gradm.log Error on line 105 of /etc/grsec/policy. Grsecurity does not support fine-grained policy on devpts mounts. Please change your more fine-grained object to a /dev/pts object. This will in addition produce a better policy that will not break as unnecessarily. The RBAC system will not load until this error is fixed.

Here is that line

Code: Select all: head -105 /etc/grsec/policy|tail -1 /dev/stdin rw

Here is my subject /

Code: Select all: role voron u subject / { / s /lib rx /lib/grub h /lib/iptables h /lib/modules h /lib/nut h /lib/rcscripts h /lib/security h /lib/udev h /var hs /root hs /sbin hs /bin rxs /dev /dev/null rw /dev/zero r /dev/snd rw /dev/urandom r /dev/pts rw /dev/stdin rw /dev/stdout rw /dev/tty rw /dev/grsec hs /dev/mem hs /dev/kmem hs /dev/port hs /dev/log hs /etc r /etc/grsec hs /etc/ssh hs /etc/shadow hs /etc/shadow- hs /etc/gshadow hs /etc/gshadow- hs /etc/ppp/chap-secrets hs /etc/ppp/pap-secrets hs /etc/samba/smbpasswd hs /media /media/fotik rwcd /proc r /proc/kcore hs /proc/bus hs /proc/sys hs /tmp rwcdl /var/tmp rwcdl /usr /usr/kde rx /usr/libexec rxs /usr/qt/3 rxs /usr/bin rxs /usr/lib rxs /usr/local /usr/opt rx /usr/share rxs /var/cache/fontconfig r /usr/src hs /usr/d1 hs /usr/d2 hs /sys hs /boot hs /home s #voron specefic /home/voron rwcdlx /home/* hs /usr/data rwcdl # /usr/1data rwcdl -CAP_ALL bind disabled #DNS connect 0.0.0.0/0:53 dgram udp #cups connect 127.0.0.1/32:631 stream tcp }

I tried to use /dev/std* rw instead /dev/stdin rw and /dev/stdout rw, then I can enable RBAC, but got another error

Code: Select all: Apr 9 02:34:43 voron [169405.502889] grsec: From 92.49.242.4: (voron:U:/) denied open of /proc/25985/fd/1 for writing by /usr/bin/mplex[mplex:25985] uid/euid:1000/1000 gid/egid:100/100, parent /home/voron/camcorder/remux2[remux2:25972] uid/euid:1000/1000 gid/egid:100/100

by **cormander** » Wed Apr 09, 2008 12:12 pm

Try adding this to your policy:

Code: Select all: /proc/self/fd rw

Also, see if the -o switch for that command support "-" as an alias to stdout;

Code: Select all: mplex -f 8 -o -

Not all do, but this could be an easy workaround.

Where does output usually go? stderr? If so, you could always do a shell redirection:

Code: Select all: mplex -f 8 2>&1

by **voron** » Wed Apr 09, 2008 3:50 pm

cormander wrote:Try adding this to your policy:

Code: Select all
/proc/self/fd rw

no, still same error(denied open of /proc/25985/fd/1 for writing)

cormander wrote:Also, see if the -o switch for that command support "-" as an alias to stdout;

Code: Select all
mplex -f 8 -o -

Not all do, but this could be an easy workaround.

no, got file with name "-", that's not what I want.

by **spender** » Wed Apr 09, 2008 7:23 pm

You'll have to use /proc/*/fd rw since /proc/<pid> inodes are generated at runtime within a pseudofilesystem. As for the initial problem, I imagine /dev/stdout and /dev/stdin are symlinks to an entry in /dev/pts. Does having the following work?

/dev
/dev/pts rw

-Brad

by **voron** » Fri Apr 11, 2008 3:16 pm

spender wrote:You'll have to use /proc/*/fd rw since /proc/<pid> inodes are generated at runtime within a pseudofilesystem.

Yes, now I'm able to write to /dev/stdout, thanks. But I'm still using /dev/std* rw

grsecurity forums

/dev/stdout|/dev/stdout in /dev/pts?

/dev/stdout|/dev/stdout in /dev/pts?

Re: /dev/stdout|/dev/stdout in /dev/pts?

Re: /dev/stdout|/dev/stdout in /dev/pts?

Re: /dev/stdout|/dev/stdout in /dev/pts?

Re: /dev/stdout|/dev/stdout in /dev/pts?