1 |
I am new to grsecurity I am having a problem when I enable RBAC, where |
2 |
grsecurity denies gradm and certain directories such as /etc/grsec are |
3 |
inaccessible, and even /dev/grsec. |
4 |
|
5 |
gentoo ~ # gradm -E |
6 |
gentoo ~ # gradm -F -L /etc/grsec/learning.log |
7 |
Could not open /dev/grsec. |
8 |
open: Permission denied |
9 |
|
10 |
/var/log/messages contains this... |
11 |
Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3: |
12 |
(default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for |
13 |
/sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent |
14 |
/bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0 |
15 |
|
16 |
CONFIG_GRKERNSEC=y |
17 |
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set |
18 |
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y |
19 |
CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101 |
20 |
CONFIG_GRKERNSEC_KMEM=y |
21 |
CONFIG_GRKERNSEC_IO=y |
22 |
CONFIG_GRKERNSEC_PERF_HARDEN=y |
23 |
CONFIG_GRKERNSEC_RAND_THREADSTACK=y |
24 |
CONFIG_GRKERNSEC_PROC_MEMMAP=y |
25 |
CONFIG_GRKERNSEC_BRUTE=y |
26 |
CONFIG_GRKERNSEC_MODHARDEN=y |
27 |
CONFIG_GRKERNSEC_HIDESYM=y |
28 |
CONFIG_GRKERNSEC_KERN_LOCKOUT=y |
29 |
# CONFIG_GRKERNSEC_NO_RBAC is not set |
30 |
CONFIG_GRKERNSEC_ACL_HIDEKERN=y |
31 |
CONFIG_GRKERNSEC_ACL_MAXTRIES=3 |
32 |
CONFIG_GRKERNSEC_ACL_TIMEOUT=60 |
33 |
CONFIG_GRKERNSEC_PROC=y |
34 |
CONFIG_GRKERNSEC_PROC_USER=y |
35 |
CONFIG_GRKERNSEC_PROC_ADD=y |
36 |
CONFIG_GRKERNSEC_LINK=y |
37 |
# CONFIG_GRKERNSEC_SYMLINKOWN is not set |
38 |
CONFIG_GRKERNSEC_FIFO=y |
39 |
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y |
40 |
# CONFIG_GRKERNSEC_ROFS is not set |
41 |
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y |
42 |
CONFIG_GRKERNSEC_CHROOT=y |
43 |
CONFIG_GRKERNSEC_CHROOT_MOUNT=y |
44 |
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y |
45 |
CONFIG_GRKERNSEC_CHROOT_PIVOT=y |
46 |
CONFIG_GRKERNSEC_CHROOT_CHDIR=y |
47 |
CONFIG_GRKERNSEC_CHROOT_CHMOD=y |
48 |
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y |
49 |
CONFIG_GRKERNSEC_CHROOT_MKNOD=y |
50 |
CONFIG_GRKERNSEC_CHROOT_SHMAT=y |
51 |
CONFIG_GRKERNSEC_CHROOT_UNIX=y |
52 |
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y |
53 |
CONFIG_GRKERNSEC_CHROOT_NICE=y |
54 |
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y |
55 |
CONFIG_GRKERNSEC_CHROOT_CAPS=y |
56 |
CONFIG_GRKERNSEC_AUDIT_GROUP=y |
57 |
CONFIG_GRKERNSEC_AUDIT_GID=100 |
58 |
CONFIG_GRKERNSEC_EXECLOG=y |
59 |
CONFIG_GRKERNSEC_RESLOG=y |
60 |
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y |
61 |
CONFIG_GRKERNSEC_AUDIT_PTRACE=y |
62 |
CONFIG_GRKERNSEC_AUDIT_CHDIR=y |
63 |
CONFIG_GRKERNSEC_AUDIT_MOUNT=y |
64 |
CONFIG_GRKERNSEC_SIGNAL=y |
65 |
CONFIG_GRKERNSEC_FORKFAIL=y |
66 |
CONFIG_GRKERNSEC_TIME=y |
67 |
CONFIG_GRKERNSEC_PROC_IPADDR=y |
68 |
CONFIG_GRKERNSEC_RWXMAP_LOG=y |
69 |
CONFIG_GRKERNSEC_DMESG=y |
70 |
CONFIG_GRKERNSEC_HARDEN_PTRACE=y |
71 |
CONFIG_GRKERNSEC_PTRACE_READEXEC=y |
72 |
# CONFIG_GRKERNSEC_SETXID is not set |
73 |
CONFIG_GRKERNSEC_TPE=y |
74 |
CONFIG_GRKERNSEC_TPE_ALL=y |
75 |
# CONFIG_GRKERNSEC_TPE_INVERT is not set |
76 |
CONFIG_GRKERNSEC_TPE_GID=101 |
77 |
CONFIG_GRKERNSEC_RANDNET=y |
78 |
CONFIG_GRKERNSEC_BLACKHOLE=y |
79 |
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y |
80 |
# CONFIG_GRKERNSEC_SOCKET is not set |
81 |
# CONFIG_GRKERNSEC_DENYUSB is not set |
82 |
CONFIG_GRKERNSEC_SYSCTL=y |
83 |
# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set |
84 |
CONFIG_GRKERNSEC_SYSCTL_ON=y |
85 |
# CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set |
86 |
CONFIG_GRKERNSEC_FLOODTIME=10 |
87 |
CONFIG_GRKERNSEC_FLOODBURST=6 |
88 |
|
89 |
Help would really be appreciated to get this working, because I'm |
90 |
quite new to this and I have no idea what I've missed. |
91 |
|
92 |
-- |
93 |
www.johntate.org |