| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
Hello again... |
| 5 |
|
| 6 |
I just re-read your original message and am still not entirely sure what |
| 7 |
you're trying to do here. If you _want_ to have directories like /boot |
| 8 |
and /root hidden from the root role/user via RBAC, then you should |
| 9 |
probably hide/suppress ("hs") them in the "subject" section for bash, |
| 10 |
which is what is calling `gradm`. |
| 11 |
|
| 12 |
I'm not entirely sure, but you may need to add these flags to the subject |
| 13 |
for /sbin/gradm as well as /bin/bash (in root's role). |
| 14 |
|
| 15 |
As far as there being an instance already running, are you perhaps trying |
| 16 |
to run gradm in learning mode while the RBAC system is already active? |
| 17 |
|
| 18 |
Hrm... |
| 19 |
|
| 20 |
brant williams |
| 21 |
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 |
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
On Sun, 23 Nov 2008, brant williams wrote: |
| 26 |
|
| 27 |
> Date: Sun, 23 Nov 2008 16:38:16 -0600 (CST) |
| 28 |
> From: brant williams <brant@×××××.net> |
| 29 |
> Reply-To: gentoo-hardened@l.g.o |
| 30 |
> To: gentoo-hardened@l.g.o |
| 31 |
> Subject: Re: [gentoo-hardened] Grsecurity: Role flag "G" problem |
| 32 |
> |
| 33 |
> --[PinePGP]--------------------------------------------------[begin]-- |
| 34 |
> |
| 35 |
> Why would you specify "hs" for /root in the root policy? The "h" flag |
| 36 |
> will hide that path from the role. You probably want something like: |
| 37 |
> |
| 38 |
> role root uG |
| 39 |
> subject / { |
| 40 |
> / r |
| 41 |
> # |
| 42 |
> # (other filesystem paths and permissions here) |
| 43 |
> # |
| 44 |
> /root r |
| 45 |
> # capabilities, etc, here |
| 46 |
> -CAP_ALL |
| 47 |
> bind disabled |
| 48 |
> connect disabled |
| 49 |
> } |
| 50 |
> |
| 51 |
> Replacing the object flag "h" with "hs" will still hide things. ;) In |
| 52 |
> the same way, changing from "x" to "rx" will still not allow you to write |
| 53 |
> to the file. |
| 54 |
> |
| 55 |
> You might want to take a look at this[1] link... |
| 56 |
> |
| 57 |
> [1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes |
| 58 |
> |
| 59 |
> Hope that helps... |
| 60 |
> |
| 61 |
> |
| 62 |
> brant williams |
| 63 |
> FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 |
| 64 |
> |
| 65 |
> |
| 66 |
> |
| 67 |
> On Sun, 23 Nov 2008, atoth@××××××××××.hu wrote: |
| 68 |
> |
| 69 |
>> Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET) |
| 70 |
>> From: atoth@××××××××××.hu |
| 71 |
>> Reply-To: gentoo-hardened@l.g.o |
| 72 |
>> To: gentoo-hardened@l.g.o |
| 73 |
>> Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem |
| 74 |
>> |
| 75 |
>> Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some |
| 76 |
>> error messages are logged every time I authenticate myself as root. |
| 77 |
>> " |
| 78 |
>> Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to |
| 79 |
>> hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0, |
| 80 |
>> parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0 |
| 81 |
>> " |
| 82 |
>> Role flag "G" is specified for root in order to make this user able to |
| 83 |
>> authenticate using gradm. Some directories - including boot - are hidden. |
| 84 |
>> No matter if I replace "h" to "hs" for role root, these messages still get |
| 85 |
>> logged. If I try to create a policy for gradm, grsec reports, that I've |
| 86 |
>> tried to modify an already existing instance - which is probably included |
| 87 |
>> because Role flag "G", but the exact contents are hidden. |
| 88 |
>> This behavior appeared recently. |
| 89 |
>> |
| 90 |
>> Did I miss something? |
| 91 |
>> Any ideas on this are greatly appreciated. |
| 92 |
>> |
| 93 |
>> Is it discouraged to authenticate using gradm while logged in as root? |
| 94 |
>> |
| 95 |
>> Regards, |
| 96 |
>> Dw. |
| 97 |
>> -- |
| 98 |
>> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, |
| 99 |
>> 06-30-5962-962 |
| 100 |
>> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
| 101 |
>> |
| 102 |
>> |
| 103 |
>> |
| 104 |
> --[PinePGP]----------------------------------------------------------- |
| 105 |
> gpg: Signature made Sun Nov 23 16:38:22 2008 CST using DSA key ID 4DEB6002 |
| 106 |
> gpg: Good signature from "brant davin williams (never say anything) |
| 107 |
> gpg: <brant@×××××.net>" |
| 108 |
> --[PinePGP]----------------------------------------------------[end]-- |
| 109 |
> |
| 110 |
> |
| 111 |
-----BEGIN PGP SIGNATURE----- |
| 112 |
Version: GnuPG v2.0.9 (GNU/Linux) |
| 113 |
|
| 114 |
iEYEAREIAAYFAkkp3XUACgkQdCBnhE3rYAK4NQCdEFZwLMvkAoZjNhGIgo8HgDgs |
| 115 |
xnMAnRhJphRycWvttBsCSJAOyUhsY2Dj |
| 116 |
=Wzhk |
| 117 |
-----END PGP SIGNATURE----- |
Archives