1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
Hello again... |
5 |
|
6 |
I just re-read your original message and am still not entirely sure what |
7 |
you're trying to do here. If you _want_ to have directories like /boot |
8 |
and /root hidden from the root role/user via RBAC, then you should |
9 |
probably hide/suppress ("hs") them in the "subject" section for bash, |
10 |
which is what is calling `gradm`. |
11 |
|
12 |
I'm not entirely sure, but you may need to add these flags to the subject |
13 |
for /sbin/gradm as well as /bin/bash (in root's role). |
14 |
|
15 |
As far as there being an instance already running, are you perhaps trying |
16 |
to run gradm in learning mode while the RBAC system is already active? |
17 |
|
18 |
Hrm... |
19 |
|
20 |
brant williams |
21 |
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 |
22 |
|
23 |
|
24 |
|
25 |
On Sun, 23 Nov 2008, brant williams wrote: |
26 |
|
27 |
> Date: Sun, 23 Nov 2008 16:38:16 -0600 (CST) |
28 |
> From: brant williams <brant@×××××.net> |
29 |
> Reply-To: gentoo-hardened@l.g.o |
30 |
> To: gentoo-hardened@l.g.o |
31 |
> Subject: Re: [gentoo-hardened] Grsecurity: Role flag "G" problem |
32 |
> |
33 |
> --[PinePGP]--------------------------------------------------[begin]-- |
34 |
> |
35 |
> Why would you specify "hs" for /root in the root policy? The "h" flag |
36 |
> will hide that path from the role. You probably want something like: |
37 |
> |
38 |
> role root uG |
39 |
> subject / { |
40 |
> / r |
41 |
> # |
42 |
> # (other filesystem paths and permissions here) |
43 |
> # |
44 |
> /root r |
45 |
> # capabilities, etc, here |
46 |
> -CAP_ALL |
47 |
> bind disabled |
48 |
> connect disabled |
49 |
> } |
50 |
> |
51 |
> Replacing the object flag "h" with "hs" will still hide things. ;) In |
52 |
> the same way, changing from "x" to "rx" will still not allow you to write |
53 |
> to the file. |
54 |
> |
55 |
> You might want to take a look at this[1] link... |
56 |
> |
57 |
> [1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes |
58 |
> |
59 |
> Hope that helps... |
60 |
> |
61 |
> |
62 |
> brant williams |
63 |
> FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 |
64 |
> |
65 |
> |
66 |
> |
67 |
> On Sun, 23 Nov 2008, atoth@××××××××××.hu wrote: |
68 |
> |
69 |
>> Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET) |
70 |
>> From: atoth@××××××××××.hu |
71 |
>> Reply-To: gentoo-hardened@l.g.o |
72 |
>> To: gentoo-hardened@l.g.o |
73 |
>> Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem |
74 |
>> |
75 |
>> Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some |
76 |
>> error messages are logged every time I authenticate myself as root. |
77 |
>> " |
78 |
>> Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to |
79 |
>> hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0, |
80 |
>> parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0 |
81 |
>> " |
82 |
>> Role flag "G" is specified for root in order to make this user able to |
83 |
>> authenticate using gradm. Some directories - including boot - are hidden. |
84 |
>> No matter if I replace "h" to "hs" for role root, these messages still get |
85 |
>> logged. If I try to create a policy for gradm, grsec reports, that I've |
86 |
>> tried to modify an already existing instance - which is probably included |
87 |
>> because Role flag "G", but the exact contents are hidden. |
88 |
>> This behavior appeared recently. |
89 |
>> |
90 |
>> Did I miss something? |
91 |
>> Any ideas on this are greatly appreciated. |
92 |
>> |
93 |
>> Is it discouraged to authenticate using gradm while logged in as root? |
94 |
>> |
95 |
>> Regards, |
96 |
>> Dw. |
97 |
>> -- |
98 |
>> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, |
99 |
>> 06-30-5962-962 |
100 |
>> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
101 |
>> |
102 |
>> |
103 |
>> |
104 |
> --[PinePGP]----------------------------------------------------------- |
105 |
> gpg: Signature made Sun Nov 23 16:38:22 2008 CST using DSA key ID 4DEB6002 |
106 |
> gpg: Good signature from "brant davin williams (never say anything) |
107 |
> gpg: <brant@×××××.net>" |
108 |
> --[PinePGP]----------------------------------------------------[end]-- |
109 |
> |
110 |
> |
111 |
-----BEGIN PGP SIGNATURE----- |
112 |
Version: GnuPG v2.0.9 (GNU/Linux) |
113 |
|
114 |
iEYEAREIAAYFAkkp3XUACgkQdCBnhE3rYAK4NQCdEFZwLMvkAoZjNhGIgo8HgDgs |
115 |
xnMAnRhJphRycWvttBsCSJAOyUhsY2Dj |
116 |
=Wzhk |
117 |
-----END PGP SIGNATURE----- |