* [gentoo-hardened] Grsecurity: Role flag "G" problem @ 2008-11-23 9:48 atoth 2008-11-23 22:38 ` brant williams 0 siblings, 1 reply; 4+ messages in thread From: atoth @ 2008-11-23 9:48 UTC (permalink / raw To: gentoo-hardened Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some error messages are logged every time I authenticate myself as root. " Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0 " Role flag "G" is specified for root in order to make this user able to authenticate using gradm. Some directories - including boot - are hidden. No matter if I replace "h" to "hs" for role root, these messages still get logged. If I try to create a policy for gradm, grsec reports, that I've tried to modify an already existing instance - which is probably included because Role flag "G", but the exact contents are hidden. This behavior appeared recently. Did I miss something? Any ideas on this are greatly appreciated. Is it discouraged to authenticate using gradm while logged in as root? Regards, Dw. -- dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-hardened] Grsecurity: Role flag "G" problem 2008-11-23 9:48 [gentoo-hardened] Grsecurity: Role flag "G" problem atoth @ 2008-11-23 22:38 ` brant williams 2008-11-23 22:47 ` brant williams 0 siblings, 1 reply; 4+ messages in thread From: brant williams @ 2008-11-23 22:38 UTC (permalink / raw To: gentoo-hardened [-- Attachment #1: Type: TEXT/PLAIN, Size: 2449 bytes --] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Why would you specify "hs" for /root in the root policy? The "h" flag will hide that path from the role. You probably want something like: role root uG subject / { / r # # (other filesystem paths and permissions here) # /root r # capabilities, etc, here -CAP_ALL bind disabled connect disabled } Replacing the object flag "h" with "hs" will still hide things. ;) In the same way, changing from "x" to "rx" will still not allow you to write to the file. You might want to take a look at this[1] link... [1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes Hope that helps... brant williams FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 On Sun, 23 Nov 2008, atoth@atoth.sote.hu wrote: > Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET) > From: atoth@atoth.sote.hu > Reply-To: gentoo-hardened@lists.gentoo.org > To: gentoo-hardened@lists.gentoo.org > Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem > > Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some > error messages are logged every time I authenticate myself as root. > " > Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to > hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0, > parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0 > " > Role flag "G" is specified for root in order to make this user able to > authenticate using gradm. Some directories - including boot - are hidden. > No matter if I replace "h" to "hs" for role root, these messages still get > logged. If I try to create a policy for gradm, grsec reports, that I've > tried to modify an already existing instance - which is probably included > because Role flag "G", but the exact contents are hidden. > This behavior appeared recently. > > Did I miss something? > Any ideas on this are greatly appreciated. > > Is it discouraged to authenticate using gradm while logged in as root? > > Regards, > Dw. > -- > dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 > Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEAREIAAYFAkkp214ACgkQdCBnhE3rYAL4tQCfVPEcDL7KWf7s6NfdbDJiPcsd +LkAoIxwNx7o1j4axe4UcvFerOhOLWGI =AsPO -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-hardened] Grsecurity: Role flag "G" problem 2008-11-23 22:38 ` brant williams @ 2008-11-23 22:47 ` brant williams 2008-11-24 20:09 ` atoth 0 siblings, 1 reply; 4+ messages in thread From: brant williams @ 2008-11-23 22:47 UTC (permalink / raw To: gentoo-hardened [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1: Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed, Size: 3983 bytes --] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello again... I just re-read your original message and am still not entirely sure what you're trying to do here. If you _want_ to have directories like /boot and /root hidden from the root role/user via RBAC, then you should probably hide/suppress ("hs") them in the "subject" section for bash, which is what is calling `gradm`. I'm not entirely sure, but you may need to add these flags to the subject for /sbin/gradm as well as /bin/bash (in root's role). As far as there being an instance already running, are you perhaps trying to run gradm in learning mode while the RBAC system is already active? Hrm... brant williams FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 On Sun, 23 Nov 2008, brant williams wrote: > Date: Sun, 23 Nov 2008 16:38:16 -0600 (CST) > From: brant williams <brant@tnarb.net> > Reply-To: gentoo-hardened@lists.gentoo.org > To: gentoo-hardened@lists.gentoo.org > Subject: Re: [gentoo-hardened] Grsecurity: Role flag "G" problem > > --[PinePGP]--------------------------------------------------[begin]-- > > Why would you specify "hs" for /root in the root policy? The "h" flag > will hide that path from the role. You probably want something like: > > role root uG > subject / { > / r > # > # (other filesystem paths and permissions here) > # > /root r > # capabilities, etc, here > -CAP_ALL > bind disabled > connect disabled > } > > Replacing the object flag "h" with "hs" will still hide things. ;) In > the same way, changing from "x" to "rx" will still not allow you to write > to the file. > > You might want to take a look at this[1] link... > > [1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes > > Hope that helps... > > > brant williams > FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 > > > > On Sun, 23 Nov 2008, atoth@atoth.sote.hu wrote: > >> Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET) >> From: atoth@atoth.sote.hu >> Reply-To: gentoo-hardened@lists.gentoo.org >> To: gentoo-hardened@lists.gentoo.org >> Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem >> >> Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some >> error messages are logged every time I authenticate myself as root. >> " >> Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to >> hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0, >> parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0 >> " >> Role flag "G" is specified for root in order to make this user able to >> authenticate using gradm. Some directories - including boot - are hidden. >> No matter if I replace "h" to "hs" for role root, these messages still get >> logged. If I try to create a policy for gradm, grsec reports, that I've >> tried to modify an already existing instance - which is probably included >> because Role flag "G", but the exact contents are hidden. >> This behavior appeared recently. >> >> Did I miss something? >> Any ideas on this are greatly appreciated. >> >> Is it discouraged to authenticate using gradm while logged in as root? >> >> Regards, >> Dw. >> -- >> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, >> 06-30-5962-962 >> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 >> >> >> > --[PinePGP]----------------------------------------------------------- > gpg: Signature made Sun Nov 23 16:38:22 2008 CST using DSA key ID 4DEB6002 > gpg: Good signature from "brant davin williams (never say anything) > gpg: <brant@tnarb.net>" > --[PinePGP]----------------------------------------------------[end]-- > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEAREIAAYFAkkp3XUACgkQdCBnhE3rYAK4NQCdEFZwLMvkAoZjNhGIgo8HgDgs xnMAnRhJphRycWvttBsCSJAOyUhsY2Dj =Wzhk -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-hardened] Grsecurity: Role flag "G" problem 2008-11-23 22:47 ` brant williams @ 2008-11-24 20:09 ` atoth 0 siblings, 0 replies; 4+ messages in thread From: atoth @ 2008-11-24 20:09 UTC (permalink / raw To: gentoo-hardened Hello brant, I've made a mistake in my original post. For role root I have /root r by, and /boot h by default. The primary aim for role flag G is to extend the rules of the role with some default entries to make gradm authentication possible. If I add role flag "G", I cannot add /sbin/gradm in addition to it. However I don't know which default entries role flag G implements. I didn't change the default entries for role root, but at some point "denied access to hidden file /root by /sbin/gradm" messages appeared in the log files. That means something has changed, which affects the behavior of Role flag G. Regards, Dw. -- dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 On Vas, November 23, 2008 23:47, brant williams wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hello again... > > I just re-read your original message and am still not entirely sure what > you're trying to do here. If you _want_ to have directories like /boot > and /root hidden from the root role/user via RBAC, then you should > probably hide/suppress ("hs") them in the "subject" section for bash, > which is what is calling `gradm`. > > I'm not entirely sure, but you may need to add these flags to the subject > for /sbin/gradm as well as /bin/bash (in root's role). > > As far as there being an instance already running, are you perhaps trying > to run gradm in learning mode while the RBAC system is already active? > > Hrm... > > brant williams > FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 > > > > On Sun, 23 Nov 2008, brant williams wrote: > >> Date: Sun, 23 Nov 2008 16:38:16 -0600 (CST) >> From: brant williams <brant@tnarb.net> >> Reply-To: gentoo-hardened@lists.gentoo.org >> To: gentoo-hardened@lists.gentoo.org >> Subject: Re: [gentoo-hardened] Grsecurity: Role flag "G" problem >> >> --[PinePGP]--------------------------------------------------[begin]-- >> >> Why would you specify "hs" for /root in the root policy? The "h" flag >> will hide that path from the role. You probably want something like: >> >> role root uG >> subject / { >> / r >> # >> # (other filesystem paths and permissions here) >> # >> /root r >> # capabilities, etc, here >> -CAP_ALL >> bind disabled >> connect disabled >> } >> >> Replacing the object flag "h" with "hs" will still hide things. ;) In >> the same way, changing from "x" to "rx" will still not allow you to >> write >> to the file. >> >> You might want to take a look at this[1] link... >> >> [1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes >> >> Hope that helps... >> >> >> brant williams >> FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 >> >> >> >> On Sun, 23 Nov 2008, atoth@atoth.sote.hu wrote: >> >>> Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET) >>> From: atoth@atoth.sote.hu >>> Reply-To: gentoo-hardened@lists.gentoo.org >>> To: gentoo-hardened@lists.gentoo.org >>> Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem >>> >>> Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), >>> some >>> error messages are logged every time I authenticate myself as root. >>> " >>> Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to >>> hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 >>> gid/egid:0/0, >>> parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0 >>> " >>> Role flag "G" is specified for root in order to make this user able to >>> authenticate using gradm. Some directories - including boot - are >>> hidden. >>> No matter if I replace "h" to "hs" for role root, these messages still >>> get >>> logged. If I try to create a policy for gradm, grsec reports, that >>> I've >>> tried to modify an already existing instance - which is probably >>> included >>> because Role flag "G", but the exact contents are hidden. >>> This behavior appeared recently. >>> >>> Did I miss something? >>> Any ideas on this are greatly appreciated. >>> >>> Is it discouraged to authenticate using gradm while logged in as root? >>> >>> Regards, >>> Dw. >>> -- >>> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, >>> 06-30-5962-962 >>> Attila Toth MD, Radiologist in Training, +36-20-825-8057, >>> +36-30-5962-962 >>> >>> >>> >> --[PinePGP]----------------------------------------------------------- >> gpg: Signature made Sun Nov 23 16:38:22 2008 CST using DSA key ID >> 4DEB6002 >> gpg: Good signature from "brant davin williams (never say anything) >> gpg: <brant@tnarb.net>" >> --[PinePGP]----------------------------------------------------[end]-- >> >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.9 (GNU/Linux) > > iEYEAREIAAYFAkkp3XUACgkQdCBnhE3rYAK4NQCdEFZwLMvkAoZjNhGIgo8HgDgs > xnMAnRhJphRycWvttBsCSJAOyUhsY2Dj > =Wzhk > -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-11-24 20:09 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-11-23 9:48 [gentoo-hardened] Grsecurity: Role flag "G" problem atoth 2008-11-23 22:38 ` brant williams 2008-11-23 22:47 ` brant williams 2008-11-24 20:09 ` atoth
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox