grsecurity forums

[hardigunawan]

Hi,

I'm using RedHat 8.0 and grsecurity 1.9.8. I'm able to use grsecurity up to configuring ACL. What I did was to append (in /etc/grsec/acl):

/usr/sbin/httpd l {
}

run gradm -E, and then run the httpd init script, /etc/rc.d/init.d/httpd start. After some time, I run:
/etc/rc.d/init.d/httpd stop
gradm -D
gradm -L -O /etc/grsec/acl

In that acl file, I found (in addition to the default from the gradm):

/usr/sbin/httpd l {
}
/usr/sbin/httpd o {
/var/log/httpd/error_log ra
/var/log/httpd/access_log a
/ r
/opt rx
/home rxw
/mnt rw
/dev
/dev/urandom r
/dev/random r
/dev/zero rw
/dev/input rw
/dev/psaux rw
/dev/null rw
/dev/tty0 rw
/dev/tty1 rw
/dev/tty2 rw
/dev/tty3 rw
/dev/tty4 rw
/dev/tty5 rw
/dev/tty6 rw
/dev/tty7 rw
/dev/tty8 rw
/dev/console rw
/dev/tty rw
/dev/pts rw
/dev/ptmx rw
/dev/dsp rw
/dev/mixer rw
/dev/ippp0 rw
/dev/ippp1 rw
/dev/ippp2 rw
/dev/ippp3 rw
/dev/ippp4 rw
/dev/ippp5 rw
/dev/ippp6 rw
/dev/ippp7 rw
/dev/initctl rw
/dev/fd0 r
/dev/cdrom r
/dev/mem h
/dev/kmem h
/dev/port h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rxw
/proc/kcore h
/proc/sys r
/root r
/tmp rw
/var rxw
/var/tmp rw
/var/log r
/boot r
/etc/grsec h
/usr/sbin/httpd x
+CAP_ALL
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_SYS_MODULE
-CAP_SYS_RAWIO
-CAP_MKNOD
}

I believe I've done something wrong, because /dev/psaux, /dev/dsp and others are also included.

[spender]

you should put "o" in the subject mode for apache, so it will look like the following:

/usr/sbin/httpd lo {
/ h
-CAP_ALL
}

-Brad

[hardigunawan]

ok, I've put the "o" and the rest as you've suggested, and retry again. This time, it produces:
/usr/sbin/httpd o {
/var/run/httpd.pid w
/var/run
/var/log/httpd/error_log ra
/var/log/httpd/access_log a
/usr/lib rx
/lib/libdl-2.2.93.so
/lib rx
/lib/ld-2.2.93.so x
/lib/i686/libm-2.2.93.so rx
/etc/ld.so.cache rx
/usr/sbin/httpd x
/ h
-CAP_ALL
}

But looking at it, it's a lot different from the example that comes with grsec (the debian_secure_acls). For example, I don't have:+CAP_DAC_OVERRIDE
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
connect {
0.0.0.0/0:53 dgram udp
}

bind {
0.0.0.0/0:80 stream tcp
}

My questions are:
1) Are the above supposed to be done manually or through learning mode?
2) Am I doing the correct procedure?
3) There are files that the /etc/rc.d/init.d/httpd created (but not /usr/sbin/httpd), so do I add that manually?
4) The above ACL gives me an error:

"usr/sbin/httpd: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory"

[spender]

The reason you don't have the additional ACLs I believe is because you didn't restart apache, so all you got was the things it needed to do after it started up.

-Brad

[hardigunawan]

I did restart apache a few times during learning, but through redhat's usual "/etc/rc.d/init.d/httpd restart". I also accessed the website so that it would be readable by httpd process.

[hardigunawan]

Also, I discovered this in the log:

grsec: From 10.0.5.17: attempt to connect to the unix domain socket /dev/log by (initlog:2707) UID(0) EUID(0), parent (httpd:2697) UID(0) EUID(0)

Do I create another ACL for initlog?

[hardigunawan]

Ok, maybe previously I did something wrong, because now I'm able to get:

/usr/sbin/httpd o {
/var/www/html
/var/run/httpd.pid w
/var/run
/var/log/httpd/error_log ra
/var/log/httpd/access_log a
/var/log/httpd
/usr/sbin/suexec
/usr/lib rx
/usr/lib/httpd/modules rx
/sbin/insmod x
/lib/libnsl-2.2.93.so r
/lib rx
/lib/ld-2.2.93.so x
/lib/i686/libm-2.2.93.so rx
/etc/ld.so.cache rx
/etc/httpd/conf/magic r
/etc/httpd/conf/httpd.conf r
/etc/httpd/conf.d
/etc/httpd
/etc r
/dev/random r
/dev/null rw
/dev
/usr/sbin/httpd x
/
-CAP_ALL
RES_FSIZE 58169 58169
RES_DATA 686128 686128
RES_STACK 148456 148456
RES_RSS 0 0
RES_NPROC 31 30
RES_NOFILE 13 8
RES_MEMLOCK 0 0
RES_AS 7991584 7991584
RES_LOCKS 0 0

connect {
127.0.0.1:53 dgram udp
}

bind {
0.0.0.0:0 dgram ip
0.0.0.0:80 stream tcp
}
}

There's still error: "/usr/sbin/httpd: error while loading shared libraries: libnsl.so.1: failed to map segment from shared object: Permission denied" when I try to start apache. I've since then changed the ACL to have "/lib/libnsl-2.2.93.so rx" (i.e. adding an x)

Then the problem as in my previous posting appear:
Starting httpd: (13)Permission denied: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down. After adding +CAP_NET_BIND_SERVICE, it works all right.

I'm also wondering about the bind "0.0.0.0:0 dgram ip" line, and "/var/www/html" (and a few others) with no attribute.

For learning mode, I used:
/path/to/executable lo {

/ h
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
connect {
disabled
}
bind {
disabled
}
}

My questions:

1) Does +CAP_NET_BIND_SERVICE have to be added manually?
2) What will happen to those objects with no attribute?
3) I don't think apache would bind to 0.0.0.0:0 dgram ip?

[spender]

if you could, grep for LEARN in your logs, and mail the output to me at spender@grsecurity.net, and I'll see what I get here.

-Brad