From: "\"Tóth Attila\"" <atoth@atoth.sote.hu>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] grsec denying gradm, system unusuable
Date: Sun, 23 Feb 2014 16:21:26 +0100 [thread overview]
Message-ID: <f855bdf93fbd85a40efd4fe5cbe827fd.squirrel@atoth.sote.hu> (raw)
In-Reply-To: <CAHnfuAtgwYZjpL_OKu1Q_qoW7JWR2qAK2iZwzUj7uVnwngRBkQ@mail.gmail.com>
I run learning while RBAC is disabled. So without gradm -E.
I'm not sure what's wrong with your setup, but learning mode does not
require the RBAC to be active.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
2014.Február 23.(V) 10:20 időpontban John Tate ezt írta:
> How does it learn about the gradm -E before I've ran it. Running it
> kills the system, whereupon there is no /etc/grsec to write any rules
> to. I've thought of this, and it doesn't work.
>
> On Tue, Feb 18, 2014 at 10:06 PM, "Tóth Attila" <atoth@atoth.sote.hu>
> wrote:
>> Just give gradm learning a try without a prior gradm -E.
>> After you can generate an initial set of rules for your policy, you can
>> start fine-tuning it for some specific applications.
>> --
>> dr Tóth Attila, Radiológus, 06-20-825-8057
>> Attila Toth MD, Radiologist, +36-20-825-8057
>>
>> 2014.Február 17.(H) 23:26 időpontban John Tate ezt írta:
>>> BTW, I was supposed to delete the first two lines of that email.
>>>
>>> On Tue, Feb 18, 2014 at 9:25 AM, John Tate <john@johntate.org> wrote:
>>>> What should that stuff be so gradm works. I tried add
>>>>
>>>> Also the wiki instructs me to issue gradm -E before putting it in
>>>> learning mode.
>>>>
>>>> I've tried adding some lines to the admin role myself but the same
>>>> problem occurs, and gradm can no longer find /dev/grsec..
>>>>
>>>> role admin sA
>>>> subject / rvka
>>>> / rwcdmlxi
>>>> subject /sbin/gradm
>>>> /etc/grsec rwx
>>>> /dev/grsec rw
>>>> +CAP_DAC_OVERRIDE
>>>>
>>>> It would be good if you could just help me get started by giving
>>>> enough so that gradm -D will work so I can still work on the system
>>>> without a reboot. At this point it is tedious.
>>>>
>>>> Also either the Wiki page is out of date and the advise no longer
>>>> works, or the problem is actually some kernel option I've enabled:
>>>> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart
>>>>
>>>>
>>>> On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <atoth@atoth.sote.hu>
>>>> wrote:
>>>>> I think you should not issue gradm -E before activating learning
>>>>> mode.
>>>>> Also make sure to populate your policy with at least some default
>>>>> stuff
>>>>> for the admin role before enabling it. The example policy file gives
>>>>> a
>>>>> starting point.
>>>>> --
>>>>> dr Tóth Attila, Radiológus, 06-20-825-8057
>>>>> Attila Toth MD, Radiologist, +36-20-825-8057
>>>>>
>>>>> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta:
>>>>>> I am new to grsecurity I am having a problem when I enable RBAC,
>>>>>> where
>>>>>> grsecurity denies gradm and certain directories such as /etc/grsec
>>>>>> are
>>>>>> inaccessible, and even /dev/grsec.
>>>>>>
>>>>>> gentoo ~ # gradm -E
>>>>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log
>>>>>> Could not open /dev/grsec.
>>>>>> open: Permission denied
>>>>>>
>>>>>> /var/log/messages contains this...
>>>>>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From
>>>>>> 192.168.0.3:
>>>>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for
>>>>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent
>>>>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
>>>>>>
>>>>>> CONFIG_GRKERNSEC=y
>>>>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
>>>>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
>>>>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
>>>>>> CONFIG_GRKERNSEC_KMEM=y
>>>>>> CONFIG_GRKERNSEC_IO=y
>>>>>> CONFIG_GRKERNSEC_PERF_HARDEN=y
>>>>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
>>>>>> CONFIG_GRKERNSEC_PROC_MEMMAP=y
>>>>>> CONFIG_GRKERNSEC_BRUTE=y
>>>>>> CONFIG_GRKERNSEC_MODHARDEN=y
>>>>>> CONFIG_GRKERNSEC_HIDESYM=y
>>>>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y
>>>>>> # CONFIG_GRKERNSEC_NO_RBAC is not set
>>>>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
>>>>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
>>>>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60
>>>>>> CONFIG_GRKERNSEC_PROC=y
>>>>>> CONFIG_GRKERNSEC_PROC_USER=y
>>>>>> CONFIG_GRKERNSEC_PROC_ADD=y
>>>>>> CONFIG_GRKERNSEC_LINK=y
>>>>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
>>>>>> CONFIG_GRKERNSEC_FIFO=y
>>>>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
>>>>>> # CONFIG_GRKERNSEC_ROFS is not set
>>>>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
>>>>>> CONFIG_GRKERNSEC_CHROOT=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_UNIX=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_NICE=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_CAPS=y
>>>>>> CONFIG_GRKERNSEC_AUDIT_GROUP=y
>>>>>> CONFIG_GRKERNSEC_AUDIT_GID=100
>>>>>> CONFIG_GRKERNSEC_EXECLOG=y
>>>>>> CONFIG_GRKERNSEC_RESLOG=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
>>>>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
>>>>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y
>>>>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y
>>>>>> CONFIG_GRKERNSEC_SIGNAL=y
>>>>>> CONFIG_GRKERNSEC_FORKFAIL=y
>>>>>> CONFIG_GRKERNSEC_TIME=y
>>>>>> CONFIG_GRKERNSEC_PROC_IPADDR=y
>>>>>> CONFIG_GRKERNSEC_RWXMAP_LOG=y
>>>>>> CONFIG_GRKERNSEC_DMESG=y
>>>>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
>>>>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
>>>>>> # CONFIG_GRKERNSEC_SETXID is not set
>>>>>> CONFIG_GRKERNSEC_TPE=y
>>>>>> CONFIG_GRKERNSEC_TPE_ALL=y
>>>>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set
>>>>>> CONFIG_GRKERNSEC_TPE_GID=101
>>>>>> CONFIG_GRKERNSEC_RANDNET=y
>>>>>> CONFIG_GRKERNSEC_BLACKHOLE=y
>>>>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
>>>>>> # CONFIG_GRKERNSEC_SOCKET is not set
>>>>>> # CONFIG_GRKERNSEC_DENYUSB is not set
>>>>>> CONFIG_GRKERNSEC_SYSCTL=y
>>>>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
>>>>>> CONFIG_GRKERNSEC_SYSCTL_ON=y
>>>>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
>>>>>> CONFIG_GRKERNSEC_FLOODTIME=10
>>>>>> CONFIG_GRKERNSEC_FLOODBURST=6
>>>>>>
>>>>>> Help would really be appreciated to get this working, because I'm
>>>>>> quite new to this and I have no idea what I've missed.
>>>>>>
>>>>>> --
>>>>>> www.johntate.org
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> www.johntate.org
>>>
>>>
>>>
>>> --
>>> www.johntate.org
>>>
>>>
>>
>>
>>
>
>
>
> --
> www.johntate.org
>
>
prev parent reply other threads:[~2014-02-23 15:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-17 19:29 [gentoo-hardened] grsec denying gradm, system unusuable John Tate
2014-02-17 20:03 ` "Tóth Attila"
2014-02-17 22:25 ` John Tate
2014-02-17 22:26 ` John Tate
2014-02-18 11:06 ` "Tóth Attila"
2014-02-23 9:20 ` John Tate
2014-02-23 15:21 ` "Tóth Attila" [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f855bdf93fbd85a40efd4fe5cbe827fd.squirrel@atoth.sote.hu \
--to=atoth@atoth.sote.hu \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox