1 |
Hello brant, |
2 |
|
3 |
I've made a mistake in my original post. |
4 |
For role root I have /root r by, and /boot h by default. The primary aim |
5 |
for role flag G is to extend the rules of the role with some default |
6 |
entries to make gradm authentication possible. If I add role flag "G", I |
7 |
cannot add /sbin/gradm in addition to it. However I don't know which |
8 |
default entries role flag G implements. |
9 |
I didn't change the default entries for role root, but at some point |
10 |
"denied access to hidden file /root by /sbin/gradm" messages appeared in |
11 |
the log files. That means something has changed, which affects the |
12 |
behavior of Role flag G. |
13 |
|
14 |
Regards, |
15 |
Dw. |
16 |
-- |
17 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
18 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
19 |
|
20 |
On Vas, November 23, 2008 23:47, brant williams wrote: |
21 |
> -----BEGIN PGP SIGNED MESSAGE----- |
22 |
> Hash: SHA256 |
23 |
> |
24 |
> Hello again... |
25 |
> |
26 |
> I just re-read your original message and am still not entirely sure what |
27 |
> you're trying to do here. If you _want_ to have directories like /boot |
28 |
> and /root hidden from the root role/user via RBAC, then you should |
29 |
> probably hide/suppress ("hs") them in the "subject" section for bash, |
30 |
> which is what is calling `gradm`. |
31 |
> |
32 |
> I'm not entirely sure, but you may need to add these flags to the subject |
33 |
> for /sbin/gradm as well as /bin/bash (in root's role). |
34 |
> |
35 |
> As far as there being an instance already running, are you perhaps trying |
36 |
> to run gradm in learning mode while the RBAC system is already active? |
37 |
> |
38 |
> Hrm... |
39 |
> |
40 |
> brant williams |
41 |
> FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 |
42 |
> |
43 |
> |
44 |
> |
45 |
> On Sun, 23 Nov 2008, brant williams wrote: |
46 |
> |
47 |
>> Date: Sun, 23 Nov 2008 16:38:16 -0600 (CST) |
48 |
>> From: brant williams <brant@×××××.net> |
49 |
>> Reply-To: gentoo-hardened@l.g.o |
50 |
>> To: gentoo-hardened@l.g.o |
51 |
>> Subject: Re: [gentoo-hardened] Grsecurity: Role flag "G" problem |
52 |
>> |
53 |
>> --[PinePGP]--------------------------------------------------[begin]-- |
54 |
>> |
55 |
>> Why would you specify "hs" for /root in the root policy? The "h" flag |
56 |
>> will hide that path from the role. You probably want something like: |
57 |
>> |
58 |
>> role root uG |
59 |
>> subject / { |
60 |
>> / r |
61 |
>> # |
62 |
>> # (other filesystem paths and permissions here) |
63 |
>> # |
64 |
>> /root r |
65 |
>> # capabilities, etc, here |
66 |
>> -CAP_ALL |
67 |
>> bind disabled |
68 |
>> connect disabled |
69 |
>> } |
70 |
>> |
71 |
>> Replacing the object flag "h" with "hs" will still hide things. ;) In |
72 |
>> the same way, changing from "x" to "rx" will still not allow you to |
73 |
>> write |
74 |
>> to the file. |
75 |
>> |
76 |
>> You might want to take a look at this[1] link... |
77 |
>> |
78 |
>> [1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes |
79 |
>> |
80 |
>> Hope that helps... |
81 |
>> |
82 |
>> |
83 |
>> brant williams |
84 |
>> FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 |
85 |
>> |
86 |
>> |
87 |
>> |
88 |
>> On Sun, 23 Nov 2008, atoth@××××××××××.hu wrote: |
89 |
>> |
90 |
>>> Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET) |
91 |
>>> From: atoth@××××××××××.hu |
92 |
>>> Reply-To: gentoo-hardened@l.g.o |
93 |
>>> To: gentoo-hardened@l.g.o |
94 |
>>> Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem |
95 |
>>> |
96 |
>>> Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), |
97 |
>>> some |
98 |
>>> error messages are logged every time I authenticate myself as root. |
99 |
>>> " |
100 |
>>> Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to |
101 |
>>> hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 |
102 |
>>> gid/egid:0/0, |
103 |
>>> parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0 |
104 |
>>> " |
105 |
>>> Role flag "G" is specified for root in order to make this user able to |
106 |
>>> authenticate using gradm. Some directories - including boot - are |
107 |
>>> hidden. |
108 |
>>> No matter if I replace "h" to "hs" for role root, these messages still |
109 |
>>> get |
110 |
>>> logged. If I try to create a policy for gradm, grsec reports, that |
111 |
>>> I've |
112 |
>>> tried to modify an already existing instance - which is probably |
113 |
>>> included |
114 |
>>> because Role flag "G", but the exact contents are hidden. |
115 |
>>> This behavior appeared recently. |
116 |
>>> |
117 |
>>> Did I miss something? |
118 |
>>> Any ideas on this are greatly appreciated. |
119 |
>>> |
120 |
>>> Is it discouraged to authenticate using gradm while logged in as root? |
121 |
>>> |
122 |
>>> Regards, |
123 |
>>> Dw. |
124 |
>>> -- |
125 |
>>> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, |
126 |
>>> 06-30-5962-962 |
127 |
>>> Attila Toth MD, Radiologist in Training, +36-20-825-8057, |
128 |
>>> +36-30-5962-962 |
129 |
>>> |
130 |
>>> |
131 |
>>> |
132 |
>> --[PinePGP]----------------------------------------------------------- |
133 |
>> gpg: Signature made Sun Nov 23 16:38:22 2008 CST using DSA key ID |
134 |
>> 4DEB6002 |
135 |
>> gpg: Good signature from "brant davin williams (never say anything) |
136 |
>> gpg: <brant@×××××.net>" |
137 |
>> --[PinePGP]----------------------------------------------------[end]-- |
138 |
>> |
139 |
>> |
140 |
> -----BEGIN PGP SIGNATURE----- |
141 |
> Version: GnuPG v2.0.9 (GNU/Linux) |
142 |
> |
143 |
> iEYEAREIAAYFAkkp3XUACgkQdCBnhE3rYAK4NQCdEFZwLMvkAoZjNhGIgo8HgDgs |
144 |
> xnMAnRhJphRycWvttBsCSJAOyUhsY2Dj |
145 |
> =Wzhk |
146 |
> -----END PGP SIGNATURE----- |