From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QzwBd-0001OZ-OD for garchives@archives.gentoo.org; Sat, 03 Sep 2011 19:47:30 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AA12421C0F2; Sat, 3 Sep 2011 19:47:15 +0000 (UTC) Received: from virtual.dyc.edu (virtual.dyc.edu [67.222.116.22]) by pigeon.gentoo.org (Postfix) with ESMTP id 1D21121C0CE for ; Sat, 3 Sep 2011 19:46:48 +0000 (UTC) Received: from [192.168.3.7] (cpe-74-77-238-39.buffalo.res.rr.com [74.77.238.39]) by virtual.dyc.edu (Postfix) with ESMTPSA id 6199C74C025 for ; Sat, 3 Sep 2011 15:46:48 -0400 (EDT) Message-ID: <4E628427.5090109@opensource.dyc.edu> Date: Sat, 03 Sep 2011 15:46:47 -0400 From: "Anthony G. Basile" User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.20) Gecko/20110830 Lightning/1.0b3pre Lanikai/3.1.12 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] bonding grsec logs about capabilites and alias during boot References: <3d3f536ac71e77d3caa89d4e49477a41.squirrel@atoth.sote.hu> In-Reply-To: <3d3f536ac71e77d3caa89d4e49477a41.squirrel@atoth.sote.hu> X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 5363e6fdc15b8232ff4ce3b79e901c1e On 09/03/2011 11:36 AM, "T=C3=B3th Attila" wrote: > In May I started seeing grsec messages about bonding. It was compiled i= nto > the kernel for ages, serving the primary multi-port NIC connected to a > Cisco in 802.3ad mode. It turned out, that the driver was auto-loaded > before I tried to echo the mode parameters during the boot process. I > started compiling it as a module and specifying module parameters for i= t. > That solved the problem for some months. Now the messages returned whil= e > bumping to recent hardened-sources (Gentoo) kernels (3.0.3 and 3.0.4). > This is the message I'm talking about: >=20 > grsec: denied auto-loading kernel module for a network device with > CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-bondin= g > instead. >=20 > These messages appear before the RBAC systems would be activated, so I > have no clue how I might determine the executable causing it and how I > could make the binary to ask for CAP_NET_ADMIN. I suspect it's not a > simple policy issue. Modprobe and all other relevant module binaries ha= ve > CAP_NET_ADMIN in my rule set. I suppose udev triggers the auto load log= ic > for bonding. The parameters are included in the necessary files, but th= e > mechanism doesn't care about those. > I got to the point, where I chose the dirty way and had altered the > defaults in the kernel source. Of course it works, but I'm seeking a > proper solution. >=20 > Please let me know what am I supposed to do to get rid of this and make > the system auto-load the module with the correct parameters. I have no > clue where can I teach the system the suggested alias and how I make a > binary to ask for the proper CAP. >=20 > Thanks: > Dw. I looked back at our conversation http://www.gossamer-threads.com/lists/gentoo/hardened/231011 It does look like the same issue again. I don't think we really solved it, but just found a workaround which you specify above. It turns out that you can compile it static and change mode upon booting by echoing values to /sys/class/net/bond0/bonding/mode. I do that on two systems running ancient 2.6.34 kernels, but this should work on 3.0.x. You can try that. However, it bothers me that we don't understand what's going on. You can try disabling GRKERNSEC_MODHARDEN and rebooting to see if grsec is denying some udev trigger. But modharden should only prevent non-root processes from autoloading. I can't test on mine because they are on high availability clusters. --=20 Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197