[gentoo-hardened] Grsecurity: Role flag "G" problem

[gentoo-hardened] Grsecurity: Role flag "G" problem

[atoth]

Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some
error messages are logged every time I authenticate myself as root.
"
Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to
hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0
"
Role flag "G" is specified for root in order to make this user able to
authenticate using gradm. Some directories - including boot - are hidden.
No matter if I replace "h" to "hs" for role root, these messages still get
logged. If I try to create a policy for gradm, grsec reports, that I've
tried to modify an already existing instance - which is probably included
because Role flag "G", but the exact contents are hidden.
This behavior appeared recently.

Did I miss something?
Any ideas on this are greatly appreciated.

Is it discouraged to authenticate using gradm while logged in as root?

Regards,
Dw.
-- 
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962

Re: [gentoo-hardened] Grsecurity: Role flag "G" problem

[brant williams]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2449 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Why would you specify "hs" for /root in the root policy?  The "h" flag 
will hide that path from the role.  You probably want something like:

role root uG
subject / {
 	/	r
 	#
 	# (other filesystem paths and permissions here)
 	#
 	/root	r
 	# capabilities, etc, here
 	-CAP_ALL
 	bind	disabled
 	connect	disabled
}

Replacing the object flag "h" with "hs" will still hide things.  ;)  In 
the same way, changing from "x" to "rx" will still not allow you to write 
to the file.

You might want to take a look at this[1] link...

[1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes

Hope that helps...


brant williams
FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002



On Sun, 23 Nov 2008, atoth@atoth.sote.hu wrote:

> Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET)
> From: atoth@atoth.sote.hu
> Reply-To: gentoo-hardened@lists.gentoo.org
> To: gentoo-hardened@lists.gentoo.org
> Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem
> 
> Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some
> error messages are logged every time I authenticate myself as root.
> "
> Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to
> hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0,
> parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0
> "
> Role flag "G" is specified for root in order to make this user able to
> authenticate using gradm. Some directories - including boot - are hidden.
> No matter if I replace "h" to "hs" for role root, these messages still get
> logged. If I try to create a policy for gradm, grsec reports, that I've
> tried to modify an already existing instance - which is probably included
> because Role flag "G", but the exact contents are hidden.
> This behavior appeared recently.
>
> Did I miss something?
> Any ideas on this are greatly appreciated.
>
> Is it discouraged to authenticate using gradm while logged in as root?
>
> Regards,
> Dw.
> -- 
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkkp214ACgkQdCBnhE3rYAL4tQCfVPEcDL7KWf7s6NfdbDJiPcsd
+LkAoIxwNx7o1j4axe4UcvFerOhOLWGI
=AsPO
-----END PGP SIGNATURE-----

Re: [gentoo-hardened] Grsecurity: Role flag "G" problem

[brant williams]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed, Size: 3983 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello again...

I just re-read your original message and am still not entirely sure what 
you're trying to do here.  If you _want_ to have directories like /boot 
and /root hidden from the root role/user via RBAC, then you should 
probably hide/suppress ("hs") them in the "subject" section for bash, 
which is what is calling `gradm`.

I'm not entirely sure, but you may need to add these flags to the subject 
for /sbin/gradm as well as /bin/bash (in root's role).

As far as there being an instance already running, are you perhaps trying 
to run gradm in learning mode while the RBAC system is already active?

Hrm...

brant williams
FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002



On Sun, 23 Nov 2008, brant williams wrote:

> Date: Sun, 23 Nov 2008 16:38:16 -0600 (CST)
> From: brant williams <brant@tnarb.net>
> Reply-To: gentoo-hardened@lists.gentoo.org
> To: gentoo-hardened@lists.gentoo.org
> Subject: Re: [gentoo-hardened] Grsecurity: Role flag "G" problem
> 
> --[PinePGP]--------------------------------------------------[begin]--
>
> Why would you specify "hs" for /root in the root policy?  The "h" flag
> will hide that path from the role.  You probably want something like:
>
> role root uG
> subject / {
> 	 /	r
> 	#
> 	#  (other filesystem paths and permissions here)
> 	#
> 	 /root	r
> 	 # capabilities, etc, here
> 	 -CAP_ALL
> 	 bind	disabled
> 	 connect	disabled
> }
>
> Replacing the object flag "h" with "hs" will still hide things.  ;)  In
> the same way, changing from "x" to "rx" will still not allow you to write
> to the file.
>
> You might want to take a look at this[1] link...
>
> [1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes
>
> Hope that helps...
>
>
> brant williams
> FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002
>
>
>
> On Sun, 23 Nov 2008, atoth@atoth.sote.hu wrote:
>
>>  Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET)
>>  From: atoth@atoth.sote.hu
>>  Reply-To: gentoo-hardened@lists.gentoo.org
>>  To: gentoo-hardened@lists.gentoo.org
>>  Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem
>>
>>  Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some
>>  error messages are logged every time I authenticate myself as root.
>>  "
>>  Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to
>>  hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0,
>>  parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0
>>  "
>>  Role flag "G" is specified for root in order to make this user able to
>>  authenticate using gradm. Some directories - including boot - are hidden.
>>  No matter if I replace "h" to "hs" for role root, these messages still get
>>  logged. If I try to create a policy for gradm, grsec reports, that I've
>>  tried to modify an already existing instance - which is probably included
>>  because Role flag "G", but the exact contents are hidden.
>>  This behavior appeared recently.
>>
>>  Did I miss something?
>>  Any ideas on this are greatly appreciated.
>>
>>  Is it discouraged to authenticate using gradm while logged in as root?
>>
>>  Regards,
>>  Dw.
>>  --
>>  dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057,
>>  06-30-5962-962
>>  Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962
>> 
>> 
>> 
> --[PinePGP]-----------------------------------------------------------
> gpg:  Signature made Sun Nov 23 16:38:22 2008 CST using DSA key ID 4DEB6002
> gpg:  Good signature from "brant davin williams (never say anything) 
> gpg:  <brant@tnarb.net>"
> --[PinePGP]----------------------------------------------------[end]--
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkkp3XUACgkQdCBnhE3rYAK4NQCdEFZwLMvkAoZjNhGIgo8HgDgs
xnMAnRhJphRycWvttBsCSJAOyUhsY2Dj
=Wzhk
-----END PGP SIGNATURE-----

Re: [gentoo-hardened] Grsecurity: Role flag "G" problem

[atoth]

Hello brant,

I've made a mistake in my original post.
For role root I have /root r by, and /boot h by default. The primary aim
for role flag G is to extend the rules of the role with some default
entries to make gradm authentication possible. If I add role flag "G", I
cannot add /sbin/gradm in addition to it. However I don't know which
default entries role flag G implements.
I didn't change the default entries for role root, but at some point
"denied access to hidden file /root by /sbin/gradm" messages appeared in
the log files. That means something has changed, which affects the
behavior of Role flag G.

Regards,
Dw.
-- 
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962

On Vas, November 23, 2008 23:47, brant williams wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello again...
>
> I just re-read your original message and am still not entirely sure what
> you're trying to do here.  If you _want_ to have directories like /boot
> and /root hidden from the root role/user via RBAC, then you should
> probably hide/suppress ("hs") them in the "subject" section for bash,
> which is what is calling `gradm`.
>
> I'm not entirely sure, but you may need to add these flags to the subject
> for /sbin/gradm as well as /bin/bash (in root's role).
>
> As far as there being an instance already running, are you perhaps trying
> to run gradm in learning mode while the RBAC system is already active?
>
> Hrm...
>
> brant williams
> FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002
>
>
>
> On Sun, 23 Nov 2008, brant williams wrote:
>
>> Date: Sun, 23 Nov 2008 16:38:16 -0600 (CST)
>> From: brant williams <brant@tnarb.net>
>> Reply-To: gentoo-hardened@lists.gentoo.org
>> To: gentoo-hardened@lists.gentoo.org
>> Subject: Re: [gentoo-hardened] Grsecurity: Role flag "G" problem
>>
>> --[PinePGP]--------------------------------------------------[begin]--
>>
>> Why would you specify "hs" for /root in the root policy?  The "h" flag
>> will hide that path from the role.  You probably want something like:
>>
>> role root uG
>> subject / {
>> 	 /	r
>> 	#
>> 	#  (other filesystem paths and permissions here)
>> 	#
>> 	 /root	r
>> 	 # capabilities, etc, here
>> 	 -CAP_ALL
>> 	 bind	disabled
>> 	 connect	disabled
>> }
>>
>> Replacing the object flag "h" with "hs" will still hide things.  ;)  In
>> the same way, changing from "x" to "rx" will still not allow you to
>> write
>> to the file.
>>
>> You might want to take a look at this[1] link...
>>
>> [1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes
>>
>> Hope that helps...
>>
>>
>> brant williams
>> FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002
>>
>>
>>
>> On Sun, 23 Nov 2008, atoth@atoth.sote.hu wrote:
>>
>>>  Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET)
>>>  From: atoth@atoth.sote.hu
>>>  Reply-To: gentoo-hardened@lists.gentoo.org
>>>  To: gentoo-hardened@lists.gentoo.org
>>>  Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem
>>>
>>>  Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1),
>>> some
>>>  error messages are logged every time I authenticate myself as root.
>>>  "
>>>  Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to
>>>  hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0
>>> gid/egid:0/0,
>>>  parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0
>>>  "
>>>  Role flag "G" is specified for root in order to make this user able to
>>>  authenticate using gradm. Some directories - including boot - are
>>> hidden.
>>>  No matter if I replace "h" to "hs" for role root, these messages still
>>> get
>>>  logged. If I try to create a policy for gradm, grsec reports, that
>>> I've
>>>  tried to modify an already existing instance - which is probably
>>> included
>>>  because Role flag "G", but the exact contents are hidden.
>>>  This behavior appeared recently.
>>>
>>>  Did I miss something?
>>>  Any ideas on this are greatly appreciated.
>>>
>>>  Is it discouraged to authenticate using gradm while logged in as root?
>>>
>>>  Regards,
>>>  Dw.
>>>  --
>>>  dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057,
>>>  06-30-5962-962
>>>  Attila Toth MD, Radiologist in Training, +36-20-825-8057,
>>> +36-30-5962-962
>>>
>>>
>>>
>> --[PinePGP]-----------------------------------------------------------
>> gpg:  Signature made Sun Nov 23 16:38:22 2008 CST using DSA key ID
>> 4DEB6002
>> gpg:  Good signature from "brant davin williams (never say anything)
>> gpg:  <brant@tnarb.net>"
>> --[PinePGP]----------------------------------------------------[end]--
>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
>
> iEYEAREIAAYFAkkp3XUACgkQdCBnhE3rYAK4NQCdEFZwLMvkAoZjNhGIgo8HgDgs
> xnMAnRhJphRycWvttBsCSJAOyUhsY2Dj
> =Wzhk
> -----END PGP SIGNATURE-----