| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
|
| 5 |
Why would you specify "hs" for /root in the root policy? The "h" flag |
| 6 |
will hide that path from the role. You probably want something like: |
| 7 |
|
| 8 |
role root uG |
| 9 |
subject / { |
| 10 |
/ r |
| 11 |
# |
| 12 |
# (other filesystem paths and permissions here) |
| 13 |
# |
| 14 |
/root r |
| 15 |
# capabilities, etc, here |
| 16 |
-CAP_ALL |
| 17 |
bind disabled |
| 18 |
connect disabled |
| 19 |
} |
| 20 |
|
| 21 |
Replacing the object flag "h" with "hs" will still hide things. ;) In |
| 22 |
the same way, changing from "x" to "rx" will still not allow you to write |
| 23 |
to the file. |
| 24 |
|
| 25 |
You might want to take a look at this[1] link... |
| 26 |
|
| 27 |
[1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes |
| 28 |
|
| 29 |
Hope that helps... |
| 30 |
|
| 31 |
|
| 32 |
brant williams |
| 33 |
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 |
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
On Sun, 23 Nov 2008, atoth@××××××××××.hu wrote: |
| 38 |
|
| 39 |
> Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET) |
| 40 |
> From: atoth@××××××××××.hu |
| 41 |
> Reply-To: gentoo-hardened@l.g.o |
| 42 |
> To: gentoo-hardened@l.g.o |
| 43 |
> Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem |
| 44 |
> |
| 45 |
> Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some |
| 46 |
> error messages are logged every time I authenticate myself as root. |
| 47 |
> " |
| 48 |
> Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to |
| 49 |
> hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0, |
| 50 |
> parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0 |
| 51 |
> " |
| 52 |
> Role flag "G" is specified for root in order to make this user able to |
| 53 |
> authenticate using gradm. Some directories - including boot - are hidden. |
| 54 |
> No matter if I replace "h" to "hs" for role root, these messages still get |
| 55 |
> logged. If I try to create a policy for gradm, grsec reports, that I've |
| 56 |
> tried to modify an already existing instance - which is probably included |
| 57 |
> because Role flag "G", but the exact contents are hidden. |
| 58 |
> This behavior appeared recently. |
| 59 |
> |
| 60 |
> Did I miss something? |
| 61 |
> Any ideas on this are greatly appreciated. |
| 62 |
> |
| 63 |
> Is it discouraged to authenticate using gradm while logged in as root? |
| 64 |
> |
| 65 |
> Regards, |
| 66 |
> Dw. |
| 67 |
> -- |
| 68 |
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
| 69 |
> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
| 70 |
> |
| 71 |
> |
| 72 |
> |
| 73 |
-----BEGIN PGP SIGNATURE----- |
| 74 |
Version: GnuPG v2.0.9 (GNU/Linux) |
| 75 |
|
| 76 |
iEYEAREIAAYFAkkp214ACgkQdCBnhE3rYAL4tQCfVPEcDL7KWf7s6NfdbDJiPcsd |
| 77 |
+LkAoIxwNx7o1j4axe4UcvFerOhOLWGI |
| 78 |
=AsPO |
| 79 |
-----END PGP SIGNATURE----- |
Archives