Re: [gentoo-hardened] grsec denying gradm, system unusuable - gentoo-hardened

From:	"Tóth Attila" <atoth@××××××××××.hu>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] grsec denying gradm, system unusuable
Date:	Sun, 23 Feb 2014 15:21:47
Message-Id:	`f855bdf93fbd85a40efd4fe5cbe827fd.squirrel@atoth.sote.hu`
In Reply to:	Re: [gentoo-hardened] grsec denying gradm, system unusuable by John Tate

1

I run learning while RBAC is disabled. So without gradm -E.

2

I'm not sure what's wrong with your setup, but learning mode does not

3

require the RBAC to be active.

4

--

5

dr Tóth Attila, Radiológus, 06-20-825-8057

6

Attila Toth MD, Radiologist, +36-20-825-8057

7

8

2014.Február 23.(V) 10:20 időpontban John Tate ezt írta:

9

> How does it learn about the gradm -E before I've ran it. Running it

10

> kills the system, whereupon there is no /etc/grsec to write any rules

11

> to. I've thought of this, and it doesn't work.

12

>

13

> On Tue, Feb 18, 2014 at 10:06 PM, "Tóth Attila" <atoth@××××××××××.hu>

14

> wrote:

15

>> Just give gradm learning a try without a prior gradm -E.

16

>> After you can generate an initial set of rules for your policy, you can

17

>> start fine-tuning it for some specific applications.

18

>> --

19

>> dr Tóth Attila, Radiológus, 06-20-825-8057

20

>> Attila Toth MD, Radiologist, +36-20-825-8057

21

>>

22

>> 2014.Február 17.(H) 23:26 időpontban John Tate ezt írta:

23

>>> BTW, I was supposed to delete the first two lines of that email.

24

>>>

25

>>> On Tue, Feb 18, 2014 at 9:25 AM, John Tate <john@××××××××.org> wrote:

26

>>>> What should that stuff be so gradm works. I tried add

27

>>>>

28

>>>> Also the wiki instructs me to issue gradm -E before putting it in

29

>>>> learning mode.

30

>>>>

31

>>>> I've tried adding some lines to the admin role myself but the same

32

>>>> problem occurs, and gradm can no longer find /dev/grsec..

33

>>>>

34

>>>> role admin sA

35

>>>> subject / rvka

36

>>>>         / rwcdmlxi

37

>>>> subject /sbin/gradm

38

>>>>         /etc/grsec rwx

39

>>>>         /dev/grsec rw

40

>>>>         +CAP_DAC_OVERRIDE

41

>>>>

42

>>>> It would be good if you could just help me get started by giving

43

>>>> enough so that gradm -D will work so I can still work on the system

44

>>>> without a reboot. At this point it is tedious.

45

>>>>

46

>>>> Also either the Wiki page is out of date and the advise no longer

47

>>>> works, or the problem is actually some kernel option I've enabled:

48

>>>> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart

49

>>>>

50

>>>>

51

>>>> On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <atoth@××××××××××.hu>

52

>>>> wrote:

53

>>>>> I think you should not issue gradm -E before activating learning

54

>>>>> mode.

55

>>>>> Also make sure to populate your policy with at least some default

56

>>>>> stuff

57

>>>>> for the admin role before enabling it. The example policy file gives

58

>>>>> a

59

>>>>> starting point.

60

>>>>> --

61

>>>>> dr Tóth Attila, Radiológus, 06-20-825-8057

62

>>>>> Attila Toth MD, Radiologist, +36-20-825-8057

63

>>>>>

64

>>>>> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta:

65

>>>>>> I am new to grsecurity I am having a problem when I enable RBAC,

66

>>>>>> where

67

>>>>>> grsecurity denies gradm and certain directories such as /etc/grsec

68

>>>>>> are

69

>>>>>> inaccessible, and even /dev/grsec.

70

>>>>>>

71

>>>>>> gentoo ~ # gradm -E

72

>>>>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log

73

>>>>>> Could not open /dev/grsec.

74

>>>>>> open: Permission denied

75

>>>>>>

76

>>>>>> /var/log/messages contains this...

77

>>>>>> Feb 16 22:40:56 gentoo kernel: [  659.863486] grsec: From

78

>>>>>> 192.168.0.3:

79

>>>>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for

80

>>>>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent

81

>>>>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0

82

>>>>>>

83

>>>>>> CONFIG_GRKERNSEC=y

84

>>>>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set

85

>>>>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y

86

>>>>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101

87

>>>>>> CONFIG_GRKERNSEC_KMEM=y

88

>>>>>> CONFIG_GRKERNSEC_IO=y

89

>>>>>> CONFIG_GRKERNSEC_PERF_HARDEN=y

90

>>>>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y

91

>>>>>> CONFIG_GRKERNSEC_PROC_MEMMAP=y

92

>>>>>> CONFIG_GRKERNSEC_BRUTE=y

93

>>>>>> CONFIG_GRKERNSEC_MODHARDEN=y

94

>>>>>> CONFIG_GRKERNSEC_HIDESYM=y

95

>>>>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y

96

>>>>>> # CONFIG_GRKERNSEC_NO_RBAC is not set

97

>>>>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y

98

>>>>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3

99

>>>>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60

100

>>>>>> CONFIG_GRKERNSEC_PROC=y

101

>>>>>> CONFIG_GRKERNSEC_PROC_USER=y

102

>>>>>> CONFIG_GRKERNSEC_PROC_ADD=y

103

>>>>>> CONFIG_GRKERNSEC_LINK=y

104

>>>>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set

105

>>>>>> CONFIG_GRKERNSEC_FIFO=y

106

>>>>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y

107

>>>>>> # CONFIG_GRKERNSEC_ROFS is not set

108

>>>>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y

109

>>>>>> CONFIG_GRKERNSEC_CHROOT=y

110

>>>>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y

111

>>>>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

112

>>>>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y

113

>>>>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y

114

>>>>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y

115

>>>>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

116

>>>>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y

117

>>>>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y

118

>>>>>> CONFIG_GRKERNSEC_CHROOT_UNIX=y

119

>>>>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

120

>>>>>> CONFIG_GRKERNSEC_CHROOT_NICE=y

121

>>>>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

122

>>>>>> CONFIG_GRKERNSEC_CHROOT_CAPS=y

123

>>>>>> CONFIG_GRKERNSEC_AUDIT_GROUP=y

124

>>>>>> CONFIG_GRKERNSEC_AUDIT_GID=100

125

>>>>>> CONFIG_GRKERNSEC_EXECLOG=y

126

>>>>>> CONFIG_GRKERNSEC_RESLOG=y

127

>>>>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y

128

>>>>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y

129

>>>>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y

130

>>>>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y

131

>>>>>> CONFIG_GRKERNSEC_SIGNAL=y

132

>>>>>> CONFIG_GRKERNSEC_FORKFAIL=y

133

>>>>>> CONFIG_GRKERNSEC_TIME=y

134

>>>>>> CONFIG_GRKERNSEC_PROC_IPADDR=y

135

>>>>>> CONFIG_GRKERNSEC_RWXMAP_LOG=y

136

>>>>>> CONFIG_GRKERNSEC_DMESG=y

137

>>>>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y

138

>>>>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y

139

>>>>>> # CONFIG_GRKERNSEC_SETXID is not set

140

>>>>>> CONFIG_GRKERNSEC_TPE=y

141

>>>>>> CONFIG_GRKERNSEC_TPE_ALL=y

142

>>>>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set

143

>>>>>> CONFIG_GRKERNSEC_TPE_GID=101

144

>>>>>> CONFIG_GRKERNSEC_RANDNET=y

145

>>>>>> CONFIG_GRKERNSEC_BLACKHOLE=y

146

>>>>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y

147

>>>>>> # CONFIG_GRKERNSEC_SOCKET is not set

148

>>>>>> # CONFIG_GRKERNSEC_DENYUSB is not set

149

>>>>>> CONFIG_GRKERNSEC_SYSCTL=y

150

>>>>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set

151

>>>>>> CONFIG_GRKERNSEC_SYSCTL_ON=y

152

>>>>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set

153

>>>>>> CONFIG_GRKERNSEC_FLOODTIME=10

154

>>>>>> CONFIG_GRKERNSEC_FLOODBURST=6

155

>>>>>>

156

>>>>>> Help would really be appreciated to get this working, because I'm

157

>>>>>> quite new to this and I have no idea what I've missed.

158

>>>>>>

159

>>>>>> --

160

>>>>>> www.johntate.org

161

>>>>>>

162

>>>>>

163

>>>>>

164

>>>>>

165

>>>>

166

>>>>

167

>>>>

168

>>>> --

169

>>>> www.johntate.org

170

>>>

171

>>>

172

>>>

173

>>> --

174

>>> www.johntate.org

175

>>>

176

>>>

177

>>

178

>>

179

>>

180

>

181

>

182

>

183

> --

184

> www.johntate.org

185

>

186

>

1	I run learning while RBAC is disabled. So without gradm -E.
2	I'm not sure what's wrong with your setup, but learning mode does not
3	require the RBAC to be active.
4	--
5	dr Tóth Attila, Radiológus, 06-20-825-8057
6	Attila Toth MD, Radiologist, +36-20-825-8057
7
8	2014.Február 23.(V) 10:20 időpontban John Tate ezt írta:
9	> How does it learn about the gradm -E before I've ran it. Running it
10	> kills the system, whereupon there is no /etc/grsec to write any rules
11	> to. I've thought of this, and it doesn't work.
12	>
13	> On Tue, Feb 18, 2014 at 10:06 PM, "Tóth Attila" <atoth@××××××××××.hu>
14	> wrote:
15	>> Just give gradm learning a try without a prior gradm -E.
16	>> After you can generate an initial set of rules for your policy, you can
17	>> start fine-tuning it for some specific applications.
18	>> --
19	>> dr Tóth Attila, Radiológus, 06-20-825-8057
20	>> Attila Toth MD, Radiologist, +36-20-825-8057
21	>>
22	>> 2014.Február 17.(H) 23:26 időpontban John Tate ezt írta:
23	>>> BTW, I was supposed to delete the first two lines of that email.
24	>>>
25	>>> On Tue, Feb 18, 2014 at 9:25 AM, John Tate <john@××××××××.org> wrote:
26	>>>> What should that stuff be so gradm works. I tried add
27	>>>>
28	>>>> Also the wiki instructs me to issue gradm -E before putting it in
29	>>>> learning mode.
30	>>>>
31	>>>> I've tried adding some lines to the admin role myself but the same
32	>>>> problem occurs, and gradm can no longer find /dev/grsec..
33	>>>>
34	>>>> role admin sA
35	>>>> subject / rvka
36	>>>> / rwcdmlxi
37	>>>> subject /sbin/gradm
38	>>>> /etc/grsec rwx
39	>>>> /dev/grsec rw
40	>>>> +CAP_DAC_OVERRIDE
41	>>>>
42	>>>> It would be good if you could just help me get started by giving
43	>>>> enough so that gradm -D will work so I can still work on the system
44	>>>> without a reboot. At this point it is tedious.
45	>>>>
46	>>>> Also either the Wiki page is out of date and the advise no longer
47	>>>> works, or the problem is actually some kernel option I've enabled:
48	>>>> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart
49	>>>>
50	>>>>
51	>>>> On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <atoth@××××××××××.hu>
52	>>>> wrote:
53	>>>>> I think you should not issue gradm -E before activating learning
54	>>>>> mode.
55	>>>>> Also make sure to populate your policy with at least some default
56	>>>>> stuff
57	>>>>> for the admin role before enabling it. The example policy file gives
58	>>>>> a
59	>>>>> starting point.
60	>>>>> --
61	>>>>> dr Tóth Attila, Radiológus, 06-20-825-8057
62	>>>>> Attila Toth MD, Radiologist, +36-20-825-8057
63	>>>>>
64	>>>>> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta:
65	>>>>>> I am new to grsecurity I am having a problem when I enable RBAC,
66	>>>>>> where
67	>>>>>> grsecurity denies gradm and certain directories such as /etc/grsec
68	>>>>>> are
69	>>>>>> inaccessible, and even /dev/grsec.
70	>>>>>>
71	>>>>>> gentoo ~ # gradm -E
72	>>>>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log
73	>>>>>> Could not open /dev/grsec.
74	>>>>>> open: Permission denied
75	>>>>>>
76	>>>>>> /var/log/messages contains this...
77	>>>>>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From
78	>>>>>> 192.168.0.3:
79	>>>>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for
80	>>>>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent
81	>>>>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
82	>>>>>>
83	>>>>>> CONFIG_GRKERNSEC=y
84	>>>>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
85	>>>>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
86	>>>>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
87	>>>>>> CONFIG_GRKERNSEC_KMEM=y
88	>>>>>> CONFIG_GRKERNSEC_IO=y
89	>>>>>> CONFIG_GRKERNSEC_PERF_HARDEN=y
90	>>>>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
91	>>>>>> CONFIG_GRKERNSEC_PROC_MEMMAP=y
92	>>>>>> CONFIG_GRKERNSEC_BRUTE=y
93	>>>>>> CONFIG_GRKERNSEC_MODHARDEN=y
94	>>>>>> CONFIG_GRKERNSEC_HIDESYM=y
95	>>>>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y
96	>>>>>> # CONFIG_GRKERNSEC_NO_RBAC is not set
97	>>>>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
98	>>>>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
99	>>>>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60
100	>>>>>> CONFIG_GRKERNSEC_PROC=y
101	>>>>>> CONFIG_GRKERNSEC_PROC_USER=y
102	>>>>>> CONFIG_GRKERNSEC_PROC_ADD=y
103	>>>>>> CONFIG_GRKERNSEC_LINK=y
104	>>>>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
105	>>>>>> CONFIG_GRKERNSEC_FIFO=y
106	>>>>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
107	>>>>>> # CONFIG_GRKERNSEC_ROFS is not set
108	>>>>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
109	>>>>>> CONFIG_GRKERNSEC_CHROOT=y
110	>>>>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
111	>>>>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
112	>>>>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
113	>>>>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
114	>>>>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
115	>>>>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
116	>>>>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
117	>>>>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
118	>>>>>> CONFIG_GRKERNSEC_CHROOT_UNIX=y
119	>>>>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
120	>>>>>> CONFIG_GRKERNSEC_CHROOT_NICE=y
121	>>>>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
122	>>>>>> CONFIG_GRKERNSEC_CHROOT_CAPS=y
123	>>>>>> CONFIG_GRKERNSEC_AUDIT_GROUP=y
124	>>>>>> CONFIG_GRKERNSEC_AUDIT_GID=100
125	>>>>>> CONFIG_GRKERNSEC_EXECLOG=y
126	>>>>>> CONFIG_GRKERNSEC_RESLOG=y
127	>>>>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
128	>>>>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
129	>>>>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y
130	>>>>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y
131	>>>>>> CONFIG_GRKERNSEC_SIGNAL=y
132	>>>>>> CONFIG_GRKERNSEC_FORKFAIL=y
133	>>>>>> CONFIG_GRKERNSEC_TIME=y
134	>>>>>> CONFIG_GRKERNSEC_PROC_IPADDR=y
135	>>>>>> CONFIG_GRKERNSEC_RWXMAP_LOG=y
136	>>>>>> CONFIG_GRKERNSEC_DMESG=y
137	>>>>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
138	>>>>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
139	>>>>>> # CONFIG_GRKERNSEC_SETXID is not set
140	>>>>>> CONFIG_GRKERNSEC_TPE=y
141	>>>>>> CONFIG_GRKERNSEC_TPE_ALL=y
142	>>>>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set
143	>>>>>> CONFIG_GRKERNSEC_TPE_GID=101
144	>>>>>> CONFIG_GRKERNSEC_RANDNET=y
145	>>>>>> CONFIG_GRKERNSEC_BLACKHOLE=y
146	>>>>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
147	>>>>>> # CONFIG_GRKERNSEC_SOCKET is not set
148	>>>>>> # CONFIG_GRKERNSEC_DENYUSB is not set
149	>>>>>> CONFIG_GRKERNSEC_SYSCTL=y
150	>>>>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
151	>>>>>> CONFIG_GRKERNSEC_SYSCTL_ON=y
152	>>>>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
153	>>>>>> CONFIG_GRKERNSEC_FLOODTIME=10
154	>>>>>> CONFIG_GRKERNSEC_FLOODBURST=6
155	>>>>>>
156	>>>>>> Help would really be appreciated to get this working, because I'm
157	>>>>>> quite new to this and I have no idea what I've missed.
158	>>>>>>
159	>>>>>> --
160	>>>>>> www.johntate.org
161	>>>>>>
162	>>>>>
163	>>>>>
164	>>>>>
165	>>>>
166	>>>>
167	>>>>
168	>>>> --
169	>>>> www.johntate.org
170	>>>
171	>>>
172	>>>
173	>>> --
174	>>> www.johntate.org
175	>>>
176	>>>
177	>>
178	>>
179	>>
180	>
181	>
182	>
183	> --
184	> www.johntate.org
185	>
186	>

Gentoo Archives: gentoo-hardened