From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-hardened+bounces-4649-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id E3468138BF3
	for <garchives@archives.gentoo.org>; Mon, 17 Feb 2014 22:26:45 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id C5E03E0B7A;
	Mon, 17 Feb 2014 22:26:44 +0000 (UTC)
Received: from mail-ve0-f177.google.com (mail-ve0-f177.google.com [209.85.128.177])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 01DFFE0B38
	for <gentoo-hardened@lists.gentoo.org>; Mon, 17 Feb 2014 22:26:43 +0000 (UTC)
Received: by mail-ve0-f177.google.com with SMTP id jz11so12515566veb.22
        for <gentoo-hardened@lists.gentoo.org>; Mon, 17 Feb 2014 14:26:43 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:content-type:content-transfer-encoding;
        bh=ldz6gbZ9X43oInIJyA2Se/AoIdB75+i8QpPlqoWcs/Q=;
        b=d0mYPCiW/bYJbJNCaM8NFI6/LpaE3OXMRWZ3sftVP8dcvXnuPII6+QxlrFk31kNA6r
         IsmboFAoDlySwc2CE8XPpcHXIVuvlTI7CRRq4RjZwv3KM5AZY5r4oWxQI3EwgCXiQYP/
         FMGB6bav6+JjSvcyzs+qUbUChJPDvHej0cTYDrmHIY7h6EZlu+00ENSEDMN3N27rnpO2
         5NWVdBYnRWJ8Ov7cfA5iZ7WhRBgyVWWTIlf6megTZsy1duwrRr57SpX9Co9WJPbAFYBV
         RjGeio8NvrIO6QDPBQ/5SuW15gh/v2Hnf6yEZSKgigbKXp48+gBawsSf7dn7Dsf1D6Ib
         x5rw==
X-Gm-Message-State: ALoCoQmM4P6I7aEd8QpOGRPDINIYtJPfkX64smPLFdNahmGm/CCPwcVJ6YZs8smLDXLKx5Haf5hz
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
X-Received: by 10.52.191.9 with SMTP id gu9mr5678073vdc.37.1392676003301; Mon,
 17 Feb 2014 14:26:43 -0800 (PST)
Received: by 10.220.229.193 with HTTP; Mon, 17 Feb 2014 14:26:43 -0800 (PST)
X-Originating-IP: [202.76.166.249]
In-Reply-To: <CAHnfuAs_0xdmcB0tR++nh47+y8DYqptWMTnu5Va9T5j+RHQ1jg@mail.gmail.com>
References: <CAHnfuAvmKKbiQQfbiwfee4BMXSQxENHAem_fZNssx-LDa+0=3w@mail.gmail.com>
	<d74a253a7cd056ec867dbf12460f99bc.squirrel@atoth.sote.hu>
	<CAHnfuAs_0xdmcB0tR++nh47+y8DYqptWMTnu5Va9T5j+RHQ1jg@mail.gmail.com>
Date: Tue, 18 Feb 2014 09:26:43 +1100
Message-ID: <CAHnfuAuPw77frE2LdRcCX2QhfYAO5CKFwS0sKwTXhU+0jERSuQ@mail.gmail.com>
Subject: Re: [gentoo-hardened] grsec denying gradm, system unusuable
From: John Tate <john@johntate.org>
To: gentoo-hardened@lists.gentoo.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 7799cda7-3f1d-4903-86fe-5878a1d685c6
X-Archives-Hash: 3d74c4c2dc72467ee8425a3521387a60

BTW, I was supposed to delete the first two lines of that email.

On Tue, Feb 18, 2014 at 9:25 AM, John Tate <john@johntate.org> wrote:
> What should that stuff be so gradm works. I tried add
>
> Also the wiki instructs me to issue gradm -E before putting it in learnin=
g mode.
>
> I've tried adding some lines to the admin role myself but the same
> problem occurs, and gradm can no longer find /dev/grsec..
>
> role admin sA
> subject / rvka
>         / rwcdmlxi
> subject /sbin/gradm
>         /etc/grsec rwx
>         /dev/grsec rw
>         +CAP_DAC_OVERRIDE
>
> It would be good if you could just help me get started by giving
> enough so that gradm -D will work so I can still work on the system
> without a reboot. At this point it is tedious.
>
> Also either the Wiki page is out of date and the advise no longer
> works, or the problem is actually some kernel option I've enabled:
> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart
>
>
> On Tue, Feb 18, 2014 at 7:03 AM, "T=C3=B3th Attila" <atoth@atoth.sote.hu>=
 wrote:
>> I think you should not issue gradm -E before activating learning mode.
>> Also make sure to populate your policy with at least some default stuff
>> for the admin role before enabling it. The example policy file gives a
>> starting point.
>> --
>> dr T=C3=B3th Attila, Radiol=C3=B3gus, 06-20-825-8057
>> Attila Toth MD, Radiologist, +36-20-825-8057
>>
>> 2014.Febru=C3=A1r 17.(H) 20:29 id=C5=91pontban John Tate ezt =C3=ADrta:
>>> I am new to grsecurity I am having a problem when I enable RBAC, where
>>> grsecurity denies gradm and certain directories such as /etc/grsec are
>>> inaccessible, and even /dev/grsec.
>>>
>>> gentoo ~ # gradm -E
>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log
>>> Could not open /dev/grsec.
>>> open: Permission denied
>>>
>>> /var/log/messages contains this...
>>> Feb 16 22:40:56 gentoo kernel: [  659.863486] grsec: From 192.168.0.3:
>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for
>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent
>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
>>>
>>> CONFIG_GRKERNSEC=3Dy
>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=3Dy
>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=3D101
>>> CONFIG_GRKERNSEC_KMEM=3Dy
>>> CONFIG_GRKERNSEC_IO=3Dy
>>> CONFIG_GRKERNSEC_PERF_HARDEN=3Dy
>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=3Dy
>>> CONFIG_GRKERNSEC_PROC_MEMMAP=3Dy
>>> CONFIG_GRKERNSEC_BRUTE=3Dy
>>> CONFIG_GRKERNSEC_MODHARDEN=3Dy
>>> CONFIG_GRKERNSEC_HIDESYM=3Dy
>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=3Dy
>>> # CONFIG_GRKERNSEC_NO_RBAC is not set
>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=3Dy
>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3D3
>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=3D60
>>> CONFIG_GRKERNSEC_PROC=3Dy
>>> CONFIG_GRKERNSEC_PROC_USER=3Dy
>>> CONFIG_GRKERNSEC_PROC_ADD=3Dy
>>> CONFIG_GRKERNSEC_LINK=3Dy
>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
>>> CONFIG_GRKERNSEC_FIFO=3Dy
>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=3Dy
>>> # CONFIG_GRKERNSEC_ROFS is not set
>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=3Dy
>>> CONFIG_GRKERNSEC_CHROOT=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_UNIX=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_NICE=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_CAPS=3Dy
>>> CONFIG_GRKERNSEC_AUDIT_GROUP=3Dy
>>> CONFIG_GRKERNSEC_AUDIT_GID=3D100
>>> CONFIG_GRKERNSEC_EXECLOG=3Dy
>>> CONFIG_GRKERNSEC_RESLOG=3Dy
>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=3Dy
>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=3Dy
>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=3Dy
>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=3Dy
>>> CONFIG_GRKERNSEC_SIGNAL=3Dy
>>> CONFIG_GRKERNSEC_FORKFAIL=3Dy
>>> CONFIG_GRKERNSEC_TIME=3Dy
>>> CONFIG_GRKERNSEC_PROC_IPADDR=3Dy
>>> CONFIG_GRKERNSEC_RWXMAP_LOG=3Dy
>>> CONFIG_GRKERNSEC_DMESG=3Dy
>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=3Dy
>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=3Dy
>>> # CONFIG_GRKERNSEC_SETXID is not set
>>> CONFIG_GRKERNSEC_TPE=3Dy
>>> CONFIG_GRKERNSEC_TPE_ALL=3Dy
>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set
>>> CONFIG_GRKERNSEC_TPE_GID=3D101
>>> CONFIG_GRKERNSEC_RANDNET=3Dy
>>> CONFIG_GRKERNSEC_BLACKHOLE=3Dy
>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=3Dy
>>> # CONFIG_GRKERNSEC_SOCKET is not set
>>> # CONFIG_GRKERNSEC_DENYUSB is not set
>>> CONFIG_GRKERNSEC_SYSCTL=3Dy
>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
>>> CONFIG_GRKERNSEC_SYSCTL_ON=3Dy
>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
>>> CONFIG_GRKERNSEC_FLOODTIME=3D10
>>> CONFIG_GRKERNSEC_FLOODBURST=3D6
>>>
>>> Help would really be appreciated to get this working, because I'm
>>> quite new to this and I have no idea what I've missed.
>>>
>>> --
>>> www.johntate.org
>>>
>>
>>
>>
>
>
>
> --
> www.johntate.org



--=20
www.johntate.org