problems running tripwire from mounted CD-ROM [v2.1.8]

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

problems running tripwire from mounted CD-ROM [v2.1.8]

Postby matty » Tue Feb 07, 2006 3:42 pm

I run tripwire daily from a mounted CD-ROM. The executable and the database is on the CD. Normally it works fine, but with RBAC enabled sometimes(!) it does not. The execution of the binary on the CD is being denied:

syslog:
Code: Select all
Feb  7 06:25:10 XXX syslogd 1.4.1#17: restart.
Feb  7 06:25:13 XXX kernel: ISO 9660 Extensions: Microsoft Joliet Level 3
Feb  7 06:25:13 XXX kernel: ISOFS: changing to secondary root
Feb  7 06:25:13 XXX kernel: grsec: (root:U:/etc/cron.daily) denied execution of /media/cdrom0/usr/sbin/tripwire by /usr/bin/nice[nice:7011] uid/euid:0/0
 gid/egid:0/0, parent /etc/cron.daily/tripwire[tripwire:24007] uid/euid:0/0 gid/egid:0/0


ACL:
Code: Select all
subject /etc/cron.daily o {
user_transition_allow root
group_transition_allow root
...
        /media
        /media/cdrom0
        /media/cdrom0/usr/sbin          rxi
        /media/cdrom0/var/lib/tripwire/XXX.twd     r
...
}


But the next day it may work fine. I think it does not work, if the CD was just mounted. If it was already mounted it seems to work. But that's just an assumption. How can I fix that behaviour, so that tripwire is run every day without problems?

Kernel 2.6.14.6
grsecurity 2.1.8-2.6.14.6-200601211647
gradm v2.1.8

If you need additional ACL subjects, let me know.
matty
 
Posts: 5
Joined: Tue Feb 07, 2006 3:19 pm

Postby spender » Tue Feb 07, 2006 7:10 pm

Grsecurity's RBAC system doesn't yet support policies on filesystems that haven't been mounted at enable time.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby matty » Wed Feb 08, 2006 4:54 pm

So if the CD is mounted before enabling the RBAC system it should work? I will try that, thanks for your answer.
matty
 
Posts: 5
Joined: Tue Feb 07, 2006 3:19 pm

Postby matty » Sun Feb 12, 2006 6:25 am

Yes, that fixed it.
matty
 
Posts: 5
Joined: Tue Feb 07, 2006 3:19 pm


Return to RBAC policy development