| 1 |
BTW, I was supposed to delete the first two lines of that email. |
| 2 |
|
| 3 |
On Tue, Feb 18, 2014 at 9:25 AM, John Tate <john@××××××××.org> wrote: |
| 4 |
> What should that stuff be so gradm works. I tried add |
| 5 |
> |
| 6 |
> Also the wiki instructs me to issue gradm -E before putting it in learning mode. |
| 7 |
> |
| 8 |
> I've tried adding some lines to the admin role myself but the same |
| 9 |
> problem occurs, and gradm can no longer find /dev/grsec.. |
| 10 |
> |
| 11 |
> role admin sA |
| 12 |
> subject / rvka |
| 13 |
> / rwcdmlxi |
| 14 |
> subject /sbin/gradm |
| 15 |
> /etc/grsec rwx |
| 16 |
> /dev/grsec rw |
| 17 |
> +CAP_DAC_OVERRIDE |
| 18 |
> |
| 19 |
> It would be good if you could just help me get started by giving |
| 20 |
> enough so that gradm -D will work so I can still work on the system |
| 21 |
> without a reboot. At this point it is tedious. |
| 22 |
> |
| 23 |
> Also either the Wiki page is out of date and the advise no longer |
| 24 |
> works, or the problem is actually some kernel option I've enabled: |
| 25 |
> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart |
| 26 |
> |
| 27 |
> |
| 28 |
> On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <atoth@××××××××××.hu> wrote: |
| 29 |
>> I think you should not issue gradm -E before activating learning mode. |
| 30 |
>> Also make sure to populate your policy with at least some default stuff |
| 31 |
>> for the admin role before enabling it. The example policy file gives a |
| 32 |
>> starting point. |
| 33 |
>> -- |
| 34 |
>> dr Tóth Attila, Radiológus, 06-20-825-8057 |
| 35 |
>> Attila Toth MD, Radiologist, +36-20-825-8057 |
| 36 |
>> |
| 37 |
>> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta: |
| 38 |
>>> I am new to grsecurity I am having a problem when I enable RBAC, where |
| 39 |
>>> grsecurity denies gradm and certain directories such as /etc/grsec are |
| 40 |
>>> inaccessible, and even /dev/grsec. |
| 41 |
>>> |
| 42 |
>>> gentoo ~ # gradm -E |
| 43 |
>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log |
| 44 |
>>> Could not open /dev/grsec. |
| 45 |
>>> open: Permission denied |
| 46 |
>>> |
| 47 |
>>> /var/log/messages contains this... |
| 48 |
>>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3: |
| 49 |
>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for |
| 50 |
>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent |
| 51 |
>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0 |
| 52 |
>>> |
| 53 |
>>> CONFIG_GRKERNSEC=y |
| 54 |
>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set |
| 55 |
>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y |
| 56 |
>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101 |
| 57 |
>>> CONFIG_GRKERNSEC_KMEM=y |
| 58 |
>>> CONFIG_GRKERNSEC_IO=y |
| 59 |
>>> CONFIG_GRKERNSEC_PERF_HARDEN=y |
| 60 |
>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y |
| 61 |
>>> CONFIG_GRKERNSEC_PROC_MEMMAP=y |
| 62 |
>>> CONFIG_GRKERNSEC_BRUTE=y |
| 63 |
>>> CONFIG_GRKERNSEC_MODHARDEN=y |
| 64 |
>>> CONFIG_GRKERNSEC_HIDESYM=y |
| 65 |
>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y |
| 66 |
>>> # CONFIG_GRKERNSEC_NO_RBAC is not set |
| 67 |
>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y |
| 68 |
>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3 |
| 69 |
>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60 |
| 70 |
>>> CONFIG_GRKERNSEC_PROC=y |
| 71 |
>>> CONFIG_GRKERNSEC_PROC_USER=y |
| 72 |
>>> CONFIG_GRKERNSEC_PROC_ADD=y |
| 73 |
>>> CONFIG_GRKERNSEC_LINK=y |
| 74 |
>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set |
| 75 |
>>> CONFIG_GRKERNSEC_FIFO=y |
| 76 |
>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y |
| 77 |
>>> # CONFIG_GRKERNSEC_ROFS is not set |
| 78 |
>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y |
| 79 |
>>> CONFIG_GRKERNSEC_CHROOT=y |
| 80 |
>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y |
| 81 |
>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y |
| 82 |
>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y |
| 83 |
>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y |
| 84 |
>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y |
| 85 |
>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y |
| 86 |
>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y |
| 87 |
>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y |
| 88 |
>>> CONFIG_GRKERNSEC_CHROOT_UNIX=y |
| 89 |
>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y |
| 90 |
>>> CONFIG_GRKERNSEC_CHROOT_NICE=y |
| 91 |
>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y |
| 92 |
>>> CONFIG_GRKERNSEC_CHROOT_CAPS=y |
| 93 |
>>> CONFIG_GRKERNSEC_AUDIT_GROUP=y |
| 94 |
>>> CONFIG_GRKERNSEC_AUDIT_GID=100 |
| 95 |
>>> CONFIG_GRKERNSEC_EXECLOG=y |
| 96 |
>>> CONFIG_GRKERNSEC_RESLOG=y |
| 97 |
>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y |
| 98 |
>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y |
| 99 |
>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y |
| 100 |
>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y |
| 101 |
>>> CONFIG_GRKERNSEC_SIGNAL=y |
| 102 |
>>> CONFIG_GRKERNSEC_FORKFAIL=y |
| 103 |
>>> CONFIG_GRKERNSEC_TIME=y |
| 104 |
>>> CONFIG_GRKERNSEC_PROC_IPADDR=y |
| 105 |
>>> CONFIG_GRKERNSEC_RWXMAP_LOG=y |
| 106 |
>>> CONFIG_GRKERNSEC_DMESG=y |
| 107 |
>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y |
| 108 |
>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y |
| 109 |
>>> # CONFIG_GRKERNSEC_SETXID is not set |
| 110 |
>>> CONFIG_GRKERNSEC_TPE=y |
| 111 |
>>> CONFIG_GRKERNSEC_TPE_ALL=y |
| 112 |
>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set |
| 113 |
>>> CONFIG_GRKERNSEC_TPE_GID=101 |
| 114 |
>>> CONFIG_GRKERNSEC_RANDNET=y |
| 115 |
>>> CONFIG_GRKERNSEC_BLACKHOLE=y |
| 116 |
>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y |
| 117 |
>>> # CONFIG_GRKERNSEC_SOCKET is not set |
| 118 |
>>> # CONFIG_GRKERNSEC_DENYUSB is not set |
| 119 |
>>> CONFIG_GRKERNSEC_SYSCTL=y |
| 120 |
>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set |
| 121 |
>>> CONFIG_GRKERNSEC_SYSCTL_ON=y |
| 122 |
>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set |
| 123 |
>>> CONFIG_GRKERNSEC_FLOODTIME=10 |
| 124 |
>>> CONFIG_GRKERNSEC_FLOODBURST=6 |
| 125 |
>>> |
| 126 |
>>> Help would really be appreciated to get this working, because I'm |
| 127 |
>>> quite new to this and I have no idea what I've missed. |
| 128 |
>>> |
| 129 |
>>> -- |
| 130 |
>>> www.johntate.org |
| 131 |
>>> |
| 132 |
>> |
| 133 |
>> |
| 134 |
>> |
| 135 |
> |
| 136 |
> |
| 137 |
> |
| 138 |
> -- |
| 139 |
> www.johntate.org |
| 140 |
|
| 141 |
|
| 142 |
|
| 143 |
-- |
| 144 |
www.johntate.org |
Archives