| 1 |
Hello brant, |
| 2 |
|
| 3 |
I've made a mistake in my original post. |
| 4 |
For role root I have /root r by, and /boot h by default. The primary aim |
| 5 |
for role flag G is to extend the rules of the role with some default |
| 6 |
entries to make gradm authentication possible. If I add role flag "G", I |
| 7 |
cannot add /sbin/gradm in addition to it. However I don't know which |
| 8 |
default entries role flag G implements. |
| 9 |
I didn't change the default entries for role root, but at some point |
| 10 |
"denied access to hidden file /root by /sbin/gradm" messages appeared in |
| 11 |
the log files. That means something has changed, which affects the |
| 12 |
behavior of Role flag G. |
| 13 |
|
| 14 |
Regards, |
| 15 |
Dw. |
| 16 |
-- |
| 17 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
| 18 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
| 19 |
|
| 20 |
On Vas, November 23, 2008 23:47, brant williams wrote: |
| 21 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 22 |
> Hash: SHA256 |
| 23 |
> |
| 24 |
> Hello again... |
| 25 |
> |
| 26 |
> I just re-read your original message and am still not entirely sure what |
| 27 |
> you're trying to do here. If you _want_ to have directories like /boot |
| 28 |
> and /root hidden from the root role/user via RBAC, then you should |
| 29 |
> probably hide/suppress ("hs") them in the "subject" section for bash, |
| 30 |
> which is what is calling `gradm`. |
| 31 |
> |
| 32 |
> I'm not entirely sure, but you may need to add these flags to the subject |
| 33 |
> for /sbin/gradm as well as /bin/bash (in root's role). |
| 34 |
> |
| 35 |
> As far as there being an instance already running, are you perhaps trying |
| 36 |
> to run gradm in learning mode while the RBAC system is already active? |
| 37 |
> |
| 38 |
> Hrm... |
| 39 |
> |
| 40 |
> brant williams |
| 41 |
> FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 |
| 42 |
> |
| 43 |
> |
| 44 |
> |
| 45 |
> On Sun, 23 Nov 2008, brant williams wrote: |
| 46 |
> |
| 47 |
>> Date: Sun, 23 Nov 2008 16:38:16 -0600 (CST) |
| 48 |
>> From: brant williams <brant@×××××.net> |
| 49 |
>> Reply-To: gentoo-hardened@l.g.o |
| 50 |
>> To: gentoo-hardened@l.g.o |
| 51 |
>> Subject: Re: [gentoo-hardened] Grsecurity: Role flag "G" problem |
| 52 |
>> |
| 53 |
>> --[PinePGP]--------------------------------------------------[begin]-- |
| 54 |
>> |
| 55 |
>> Why would you specify "hs" for /root in the root policy? The "h" flag |
| 56 |
>> will hide that path from the role. You probably want something like: |
| 57 |
>> |
| 58 |
>> role root uG |
| 59 |
>> subject / { |
| 60 |
>> / r |
| 61 |
>> # |
| 62 |
>> # (other filesystem paths and permissions here) |
| 63 |
>> # |
| 64 |
>> /root r |
| 65 |
>> # capabilities, etc, here |
| 66 |
>> -CAP_ALL |
| 67 |
>> bind disabled |
| 68 |
>> connect disabled |
| 69 |
>> } |
| 70 |
>> |
| 71 |
>> Replacing the object flag "h" with "hs" will still hide things. ;) In |
| 72 |
>> the same way, changing from "x" to "rx" will still not allow you to |
| 73 |
>> write |
| 74 |
>> to the file. |
| 75 |
>> |
| 76 |
>> You might want to take a look at this[1] link... |
| 77 |
>> |
| 78 |
>> [1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes |
| 79 |
>> |
| 80 |
>> Hope that helps... |
| 81 |
>> |
| 82 |
>> |
| 83 |
>> brant williams |
| 84 |
>> FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 |
| 85 |
>> |
| 86 |
>> |
| 87 |
>> |
| 88 |
>> On Sun, 23 Nov 2008, atoth@××××××××××.hu wrote: |
| 89 |
>> |
| 90 |
>>> Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET) |
| 91 |
>>> From: atoth@××××××××××.hu |
| 92 |
>>> Reply-To: gentoo-hardened@l.g.o |
| 93 |
>>> To: gentoo-hardened@l.g.o |
| 94 |
>>> Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem |
| 95 |
>>> |
| 96 |
>>> Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), |
| 97 |
>>> some |
| 98 |
>>> error messages are logged every time I authenticate myself as root. |
| 99 |
>>> " |
| 100 |
>>> Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to |
| 101 |
>>> hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 |
| 102 |
>>> gid/egid:0/0, |
| 103 |
>>> parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0 |
| 104 |
>>> " |
| 105 |
>>> Role flag "G" is specified for root in order to make this user able to |
| 106 |
>>> authenticate using gradm. Some directories - including boot - are |
| 107 |
>>> hidden. |
| 108 |
>>> No matter if I replace "h" to "hs" for role root, these messages still |
| 109 |
>>> get |
| 110 |
>>> logged. If I try to create a policy for gradm, grsec reports, that |
| 111 |
>>> I've |
| 112 |
>>> tried to modify an already existing instance - which is probably |
| 113 |
>>> included |
| 114 |
>>> because Role flag "G", but the exact contents are hidden. |
| 115 |
>>> This behavior appeared recently. |
| 116 |
>>> |
| 117 |
>>> Did I miss something? |
| 118 |
>>> Any ideas on this are greatly appreciated. |
| 119 |
>>> |
| 120 |
>>> Is it discouraged to authenticate using gradm while logged in as root? |
| 121 |
>>> |
| 122 |
>>> Regards, |
| 123 |
>>> Dw. |
| 124 |
>>> -- |
| 125 |
>>> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, |
| 126 |
>>> 06-30-5962-962 |
| 127 |
>>> Attila Toth MD, Radiologist in Training, +36-20-825-8057, |
| 128 |
>>> +36-30-5962-962 |
| 129 |
>>> |
| 130 |
>>> |
| 131 |
>>> |
| 132 |
>> --[PinePGP]----------------------------------------------------------- |
| 133 |
>> gpg: Signature made Sun Nov 23 16:38:22 2008 CST using DSA key ID |
| 134 |
>> 4DEB6002 |
| 135 |
>> gpg: Good signature from "brant davin williams (never say anything) |
| 136 |
>> gpg: <brant@×××××.net>" |
| 137 |
>> --[PinePGP]----------------------------------------------------[end]-- |
| 138 |
>> |
| 139 |
>> |
| 140 |
> -----BEGIN PGP SIGNATURE----- |
| 141 |
> Version: GnuPG v2.0.9 (GNU/Linux) |
| 142 |
> |
| 143 |
> iEYEAREIAAYFAkkp3XUACgkQdCBnhE3rYAK4NQCdEFZwLMvkAoZjNhGIgo8HgDgs |
| 144 |
> xnMAnRhJphRycWvttBsCSJAOyUhsY2Dj |
| 145 |
> =Wzhk |
| 146 |
> -----END PGP SIGNATURE----- |
Archives