1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
|
5 |
Why would you specify "hs" for /root in the root policy? The "h" flag |
6 |
will hide that path from the role. You probably want something like: |
7 |
|
8 |
role root uG |
9 |
subject / { |
10 |
/ r |
11 |
# |
12 |
# (other filesystem paths and permissions here) |
13 |
# |
14 |
/root r |
15 |
# capabilities, etc, here |
16 |
-CAP_ALL |
17 |
bind disabled |
18 |
connect disabled |
19 |
} |
20 |
|
21 |
Replacing the object flag "h" with "hs" will still hide things. ;) In |
22 |
the same way, changing from "x" to "rx" will still not allow you to write |
23 |
to the file. |
24 |
|
25 |
You might want to take a look at this[1] link... |
26 |
|
27 |
[1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes |
28 |
|
29 |
Hope that helps... |
30 |
|
31 |
|
32 |
brant williams |
33 |
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 |
34 |
|
35 |
|
36 |
|
37 |
On Sun, 23 Nov 2008, atoth@××××××××××.hu wrote: |
38 |
|
39 |
> Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET) |
40 |
> From: atoth@××××××××××.hu |
41 |
> Reply-To: gentoo-hardened@l.g.o |
42 |
> To: gentoo-hardened@l.g.o |
43 |
> Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem |
44 |
> |
45 |
> Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some |
46 |
> error messages are logged every time I authenticate myself as root. |
47 |
> " |
48 |
> Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to |
49 |
> hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0, |
50 |
> parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0 |
51 |
> " |
52 |
> Role flag "G" is specified for root in order to make this user able to |
53 |
> authenticate using gradm. Some directories - including boot - are hidden. |
54 |
> No matter if I replace "h" to "hs" for role root, these messages still get |
55 |
> logged. If I try to create a policy for gradm, grsec reports, that I've |
56 |
> tried to modify an already existing instance - which is probably included |
57 |
> because Role flag "G", but the exact contents are hidden. |
58 |
> This behavior appeared recently. |
59 |
> |
60 |
> Did I miss something? |
61 |
> Any ideas on this are greatly appreciated. |
62 |
> |
63 |
> Is it discouraged to authenticate using gradm while logged in as root? |
64 |
> |
65 |
> Regards, |
66 |
> Dw. |
67 |
> -- |
68 |
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
69 |
> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
70 |
> |
71 |
> |
72 |
> |
73 |
-----BEGIN PGP SIGNATURE----- |
74 |
Version: GnuPG v2.0.9 (GNU/Linux) |
75 |
|
76 |
iEYEAREIAAYFAkkp214ACgkQdCBnhE3rYAL4tQCfVPEcDL7KWf7s6NfdbDJiPcsd |
77 |
+LkAoIxwNx7o1j4axe4UcvFerOhOLWGI |
78 |
=AsPO |
79 |
-----END PGP SIGNATURE----- |