udev support for grsec

Discuss and suggest new grsecurity features

udev support for grsec

Postby cormander » Tue Mar 18, 2008 3:17 pm

Hey Guys,

After a reboot of the system, enabling of the gradm results in this error:

Code: Select all
[root@localhost ~]# gradm -E
Could not open /dev/grsec.
open: No such file or directory


This fix is to run the mknod command.. or in my case I like to use MAKEDEV, and I created an entry for it:

Code: Select all
[root@localhost ~]# cat /etc/makedev.d/grsecurity
c 622 root root 1 13 1 1 grsec


For now I have the "MAKEDEV grsec" command in my rc.local file, right before "gradm -E". The device exists in /dev/ on the real fs as seen here, but udev makes it disapear:

Code: Select all
[root@localhost ~]# mount --bind / /tmp/test/
[root@localhost ~]# ls -al /tmp/test/dev/grsec
crw-rw-rw-  1 root root 1, 13 Mar 18 14:29 /tmp/test/dev/grsec
[root@localhost ~]# ls -al /dev/grsec
ls: /dev/grsec: No such file or directory


Which is the reason why I have the MAKEDEV entry in rc.local .... to recreate it each time the system boots.

I was wondering if anyone had any ideas how to get the creation of /dev/grsec to happen when udev is started on system boot, so I don't need this entry in rc.local..... That way, when I make a gradm rpm, I can have it drop a file in /etc/udev/rules.d (or wherever it needs to be for this) instead of modifying rc.local inside of %post and %preun. A dirty hack around this is putting the MAKEDEV command inside the gradm init script, but I'd like to have udev handle this for me.

Thoughts appreciated.
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: udev support for grsec

Postby cormander » Wed Mar 19, 2008 11:45 am

The following isn't done by udev itself, I was hoping to get udev to create the device with it's rules.d configuration, but this seems to be as close as I can get.

Looks like various udev init scripts from difference distributions copy 'additional' devices from a certain directory.

RHEL/CentOS 4 and 5 look for them in /etc/udev/devices

Fedora 8 (and probably older fedoras too) look in /etc/udev/devices and /lib/udev/devices

OpenSUSE 10.3 looks in /lib/udev/devices

SLES9 doesn't appear to be doing any of the above, from what I can see.

So doing the mknod of the grsec in one of those directories in the above distributions will have it copied to /dev/ when udev starts.

According to FC8, however, doing this is depricated. There exists a new directory, /etc/udev/makedev.d (not to be confused with /etc/makedev.d) and on RHEL/CentOS 5 and Fedora 8 (and possibly older fedoras) doing this will have the grsec device created at boot time:

Code: Select all
echo "c 622 root root 1 13 1 1 grsec" > /etc/makedev.d/grsecurity
echo grsec > /etc/udev/makedev.d/90-grsec.nodes


The MAKEDEV command gets called for each line in all the .nodes files in /etc/udev/makedev.d/, which is why we need the entry in /etc/makedev.d/grsecurity (so it knows how to create the device).

Hope this helps anyone else running into this. If anyone can figure out how to have /dev/grsec by udev itself (and not by init scripts) then I'd like to know :)
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm


Return to grsecurity development