Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: John Tate <john@××××××××.org>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] grsec denying gradm, system unusuable
Date: Sun, 23 Feb 2014 09:21:05
Message-Id: CAHnfuAtgwYZjpL_OKu1Q_qoW7JWR2qAK2iZwzUj7uVnwngRBkQ@mail.gmail.com
In Reply to: Re: [gentoo-hardened] grsec denying gradm, system unusuable by "Tóth Attila"
1 How does it learn about the gradm -E before I've ran it. Running it
2 kills the system, whereupon there is no /etc/grsec to write any rules
3 to. I've thought of this, and it doesn't work.
4
5 On Tue, Feb 18, 2014 at 10:06 PM, "Tóth Attila" <atoth@××××××××××.hu> wrote:
6 > Just give gradm learning a try without a prior gradm -E.
7 > After you can generate an initial set of rules for your policy, you can
8 > start fine-tuning it for some specific applications.
9 > --
10 > dr Tóth Attila, Radiológus, 06-20-825-8057
11 > Attila Toth MD, Radiologist, +36-20-825-8057
12 >
13 > 2014.Február 17.(H) 23:26 időpontban John Tate ezt írta:
14 >> BTW, I was supposed to delete the first two lines of that email.
15 >>
16 >> On Tue, Feb 18, 2014 at 9:25 AM, John Tate <john@××××××××.org> wrote:
17 >>> What should that stuff be so gradm works. I tried add
18 >>>
19 >>> Also the wiki instructs me to issue gradm -E before putting it in
20 >>> learning mode.
21 >>>
22 >>> I've tried adding some lines to the admin role myself but the same
23 >>> problem occurs, and gradm can no longer find /dev/grsec..
24 >>>
25 >>> role admin sA
26 >>> subject / rvka
27 >>> / rwcdmlxi
28 >>> subject /sbin/gradm
29 >>> /etc/grsec rwx
30 >>> /dev/grsec rw
31 >>> +CAP_DAC_OVERRIDE
32 >>>
33 >>> It would be good if you could just help me get started by giving
34 >>> enough so that gradm -D will work so I can still work on the system
35 >>> without a reboot. At this point it is tedious.
36 >>>
37 >>> Also either the Wiki page is out of date and the advise no longer
38 >>> works, or the problem is actually some kernel option I've enabled:
39 >>> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart
40 >>>
41 >>>
42 >>> On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <atoth@××××××××××.hu>
43 >>> wrote:
44 >>>> I think you should not issue gradm -E before activating learning mode.
45 >>>> Also make sure to populate your policy with at least some default stuff
46 >>>> for the admin role before enabling it. The example policy file gives a
47 >>>> starting point.
48 >>>> --
49 >>>> dr Tóth Attila, Radiológus, 06-20-825-8057
50 >>>> Attila Toth MD, Radiologist, +36-20-825-8057
51 >>>>
52 >>>> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta:
53 >>>>> I am new to grsecurity I am having a problem when I enable RBAC, where
54 >>>>> grsecurity denies gradm and certain directories such as /etc/grsec are
55 >>>>> inaccessible, and even /dev/grsec.
56 >>>>>
57 >>>>> gentoo ~ # gradm -E
58 >>>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log
59 >>>>> Could not open /dev/grsec.
60 >>>>> open: Permission denied
61 >>>>>
62 >>>>> /var/log/messages contains this...
63 >>>>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3:
64 >>>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for
65 >>>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent
66 >>>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
67 >>>>>
68 >>>>> CONFIG_GRKERNSEC=y
69 >>>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
70 >>>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
71 >>>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
72 >>>>> CONFIG_GRKERNSEC_KMEM=y
73 >>>>> CONFIG_GRKERNSEC_IO=y
74 >>>>> CONFIG_GRKERNSEC_PERF_HARDEN=y
75 >>>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
76 >>>>> CONFIG_GRKERNSEC_PROC_MEMMAP=y
77 >>>>> CONFIG_GRKERNSEC_BRUTE=y
78 >>>>> CONFIG_GRKERNSEC_MODHARDEN=y
79 >>>>> CONFIG_GRKERNSEC_HIDESYM=y
80 >>>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y
81 >>>>> # CONFIG_GRKERNSEC_NO_RBAC is not set
82 >>>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
83 >>>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
84 >>>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60
85 >>>>> CONFIG_GRKERNSEC_PROC=y
86 >>>>> CONFIG_GRKERNSEC_PROC_USER=y
87 >>>>> CONFIG_GRKERNSEC_PROC_ADD=y
88 >>>>> CONFIG_GRKERNSEC_LINK=y
89 >>>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
90 >>>>> CONFIG_GRKERNSEC_FIFO=y
91 >>>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
92 >>>>> # CONFIG_GRKERNSEC_ROFS is not set
93 >>>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
94 >>>>> CONFIG_GRKERNSEC_CHROOT=y
95 >>>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
96 >>>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
97 >>>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
98 >>>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
99 >>>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
100 >>>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
101 >>>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
102 >>>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
103 >>>>> CONFIG_GRKERNSEC_CHROOT_UNIX=y
104 >>>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
105 >>>>> CONFIG_GRKERNSEC_CHROOT_NICE=y
106 >>>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
107 >>>>> CONFIG_GRKERNSEC_CHROOT_CAPS=y
108 >>>>> CONFIG_GRKERNSEC_AUDIT_GROUP=y
109 >>>>> CONFIG_GRKERNSEC_AUDIT_GID=100
110 >>>>> CONFIG_GRKERNSEC_EXECLOG=y
111 >>>>> CONFIG_GRKERNSEC_RESLOG=y
112 >>>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
113 >>>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
114 >>>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y
115 >>>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y
116 >>>>> CONFIG_GRKERNSEC_SIGNAL=y
117 >>>>> CONFIG_GRKERNSEC_FORKFAIL=y
118 >>>>> CONFIG_GRKERNSEC_TIME=y
119 >>>>> CONFIG_GRKERNSEC_PROC_IPADDR=y
120 >>>>> CONFIG_GRKERNSEC_RWXMAP_LOG=y
121 >>>>> CONFIG_GRKERNSEC_DMESG=y
122 >>>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
123 >>>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
124 >>>>> # CONFIG_GRKERNSEC_SETXID is not set
125 >>>>> CONFIG_GRKERNSEC_TPE=y
126 >>>>> CONFIG_GRKERNSEC_TPE_ALL=y
127 >>>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set
128 >>>>> CONFIG_GRKERNSEC_TPE_GID=101
129 >>>>> CONFIG_GRKERNSEC_RANDNET=y
130 >>>>> CONFIG_GRKERNSEC_BLACKHOLE=y
131 >>>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
132 >>>>> # CONFIG_GRKERNSEC_SOCKET is not set
133 >>>>> # CONFIG_GRKERNSEC_DENYUSB is not set
134 >>>>> CONFIG_GRKERNSEC_SYSCTL=y
135 >>>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
136 >>>>> CONFIG_GRKERNSEC_SYSCTL_ON=y
137 >>>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
138 >>>>> CONFIG_GRKERNSEC_FLOODTIME=10
139 >>>>> CONFIG_GRKERNSEC_FLOODBURST=6
140 >>>>>
141 >>>>> Help would really be appreciated to get this working, because I'm
142 >>>>> quite new to this and I have no idea what I've missed.
143 >>>>>
144 >>>>> --
145 >>>>> www.johntate.org
146 >>>>>
147 >>>>
148 >>>>
149 >>>>
150 >>>
151 >>>
152 >>>
153 >>> --
154 >>> www.johntate.org
155 >>
156 >>
157 >>
158 >> --
159 >> www.johntate.org
160 >>
161 >>
162 >
163 >
164 >
165
166
167
168 --
169 www.johntate.org

Replies

Subject Author
Re: [gentoo-hardened] grsec denying gradm, system unusuable "Tóth Attila" <atoth@××××××××××.hu>
Report Message
Find on MARC Find on Google Groups