Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: "Tóth Attila" <atoth@××××××××××.hu>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] grsec denying gradm, system unusuable
Date: Tue, 18 Feb 2014 11:06:39
Message-Id: f713fef69938630759a74c65835a4834.squirrel@atoth.sote.hu
In Reply to: Re: [gentoo-hardened] grsec denying gradm, system unusuable by John Tate
1 Just give gradm learning a try without a prior gradm -E.
2 After you can generate an initial set of rules for your policy, you can
3 start fine-tuning it for some specific applications.
4 --
5 dr Tóth Attila, Radiológus, 06-20-825-8057
6 Attila Toth MD, Radiologist, +36-20-825-8057
7
8 2014.Február 17.(H) 23:26 időpontban John Tate ezt írta:
9 > BTW, I was supposed to delete the first two lines of that email.
10 >
11 > On Tue, Feb 18, 2014 at 9:25 AM, John Tate <john@××××××××.org> wrote:
12 >> What should that stuff be so gradm works. I tried add
13 >>
14 >> Also the wiki instructs me to issue gradm -E before putting it in
15 >> learning mode.
16 >>
17 >> I've tried adding some lines to the admin role myself but the same
18 >> problem occurs, and gradm can no longer find /dev/grsec..
19 >>
20 >> role admin sA
21 >> subject / rvka
22 >> / rwcdmlxi
23 >> subject /sbin/gradm
24 >> /etc/grsec rwx
25 >> /dev/grsec rw
26 >> +CAP_DAC_OVERRIDE
27 >>
28 >> It would be good if you could just help me get started by giving
29 >> enough so that gradm -D will work so I can still work on the system
30 >> without a reboot. At this point it is tedious.
31 >>
32 >> Also either the Wiki page is out of date and the advise no longer
33 >> works, or the problem is actually some kernel option I've enabled:
34 >> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart
35 >>
36 >>
37 >> On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <atoth@××××××××××.hu>
38 >> wrote:
39 >>> I think you should not issue gradm -E before activating learning mode.
40 >>> Also make sure to populate your policy with at least some default stuff
41 >>> for the admin role before enabling it. The example policy file gives a
42 >>> starting point.
43 >>> --
44 >>> dr Tóth Attila, Radiológus, 06-20-825-8057
45 >>> Attila Toth MD, Radiologist, +36-20-825-8057
46 >>>
47 >>> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta:
48 >>>> I am new to grsecurity I am having a problem when I enable RBAC, where
49 >>>> grsecurity denies gradm and certain directories such as /etc/grsec are
50 >>>> inaccessible, and even /dev/grsec.
51 >>>>
52 >>>> gentoo ~ # gradm -E
53 >>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log
54 >>>> Could not open /dev/grsec.
55 >>>> open: Permission denied
56 >>>>
57 >>>> /var/log/messages contains this...
58 >>>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3:
59 >>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for
60 >>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent
61 >>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
62 >>>>
63 >>>> CONFIG_GRKERNSEC=y
64 >>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
65 >>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
66 >>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
67 >>>> CONFIG_GRKERNSEC_KMEM=y
68 >>>> CONFIG_GRKERNSEC_IO=y
69 >>>> CONFIG_GRKERNSEC_PERF_HARDEN=y
70 >>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
71 >>>> CONFIG_GRKERNSEC_PROC_MEMMAP=y
72 >>>> CONFIG_GRKERNSEC_BRUTE=y
73 >>>> CONFIG_GRKERNSEC_MODHARDEN=y
74 >>>> CONFIG_GRKERNSEC_HIDESYM=y
75 >>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y
76 >>>> # CONFIG_GRKERNSEC_NO_RBAC is not set
77 >>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
78 >>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
79 >>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60
80 >>>> CONFIG_GRKERNSEC_PROC=y
81 >>>> CONFIG_GRKERNSEC_PROC_USER=y
82 >>>> CONFIG_GRKERNSEC_PROC_ADD=y
83 >>>> CONFIG_GRKERNSEC_LINK=y
84 >>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
85 >>>> CONFIG_GRKERNSEC_FIFO=y
86 >>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
87 >>>> # CONFIG_GRKERNSEC_ROFS is not set
88 >>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
89 >>>> CONFIG_GRKERNSEC_CHROOT=y
90 >>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
91 >>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
92 >>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
93 >>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
94 >>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
95 >>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
96 >>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
97 >>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
98 >>>> CONFIG_GRKERNSEC_CHROOT_UNIX=y
99 >>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
100 >>>> CONFIG_GRKERNSEC_CHROOT_NICE=y
101 >>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
102 >>>> CONFIG_GRKERNSEC_CHROOT_CAPS=y
103 >>>> CONFIG_GRKERNSEC_AUDIT_GROUP=y
104 >>>> CONFIG_GRKERNSEC_AUDIT_GID=100
105 >>>> CONFIG_GRKERNSEC_EXECLOG=y
106 >>>> CONFIG_GRKERNSEC_RESLOG=y
107 >>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
108 >>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
109 >>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y
110 >>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y
111 >>>> CONFIG_GRKERNSEC_SIGNAL=y
112 >>>> CONFIG_GRKERNSEC_FORKFAIL=y
113 >>>> CONFIG_GRKERNSEC_TIME=y
114 >>>> CONFIG_GRKERNSEC_PROC_IPADDR=y
115 >>>> CONFIG_GRKERNSEC_RWXMAP_LOG=y
116 >>>> CONFIG_GRKERNSEC_DMESG=y
117 >>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
118 >>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
119 >>>> # CONFIG_GRKERNSEC_SETXID is not set
120 >>>> CONFIG_GRKERNSEC_TPE=y
121 >>>> CONFIG_GRKERNSEC_TPE_ALL=y
122 >>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set
123 >>>> CONFIG_GRKERNSEC_TPE_GID=101
124 >>>> CONFIG_GRKERNSEC_RANDNET=y
125 >>>> CONFIG_GRKERNSEC_BLACKHOLE=y
126 >>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
127 >>>> # CONFIG_GRKERNSEC_SOCKET is not set
128 >>>> # CONFIG_GRKERNSEC_DENYUSB is not set
129 >>>> CONFIG_GRKERNSEC_SYSCTL=y
130 >>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
131 >>>> CONFIG_GRKERNSEC_SYSCTL_ON=y
132 >>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
133 >>>> CONFIG_GRKERNSEC_FLOODTIME=10
134 >>>> CONFIG_GRKERNSEC_FLOODBURST=6
135 >>>>
136 >>>> Help would really be appreciated to get this working, because I'm
137 >>>> quite new to this and I have no idea what I've missed.
138 >>>>
139 >>>> --
140 >>>> www.johntate.org
141 >>>>
142 >>>
143 >>>
144 >>>
145 >>
146 >>
147 >>
148 >> --
149 >> www.johntate.org
150 >
151 >
152 >
153 > --
154 > www.johntate.org
155 >
156 >

Replies

Subject Author
Re: [gentoo-hardened] grsec denying gradm, system unusuable John Tate <john@××××××××.org>
Report Message
Find on MARC Find on Google Groups