pipe rule

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

pipe rule

Postby voron » Thu Jun 01, 2006 12:27 am

Code: Select all
grsec: (root:U:/usr/bin/mysql) denied access to hidden file pipe:/[41951261] by /usr/bin/mysql[mysql:18146] uid/euid:0/0 gid/egid:0/0, parent /var/spool/muskul2/update[update:5485] uid/euid:0/0 gid/egid:0/0
how to create rule for that? Lines are like echo 123|mysql -e Number 41951261 every time is diffirent
voron
 
Posts: 22
Joined: Mon May 29, 2006 8:54 am

Postby spender » Thu Jun 01, 2006 4:11 pm

As a workaround, does changing "/ h" for that subject to "/" fix the problem?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby voron » Thu Jun 01, 2006 4:42 pm

spender wrote:As a workaround, does changing "/ h" for that subject to "/" fix the problem?
Code: Select all
subject /usr/bin/mysql o {
        /                               r
...
}
works for me. Trying "/" without r...
voron
 
Posts: 22
Joined: Mon May 29, 2006 8:54 am

Postby voron » Fri Jun 02, 2006 3:46 am

voron wrote:Trying "/" without r...
not working.
with / h got
Code: Select all
OS error code   2:  No such file or directory
, with / got
Code: Select all
OS error code  13:  Permission denied
and in dmesg
Code: Select all
[1360424.173566] grsec:(root:U:/usr/bin/mysql) denied open of pipe:/[112411866] for reading by /usr/bin/mysql[mysql:24789] uid/euid:0/0 gid/egid:0/0, parent /var/spool/muskul2/update[update:29102] uid/euid:0/0 gid/egid:0/0
mysql string load data local infile '/dev/stdin' replace into table....
voron
 
Posts: 22
Joined: Mon May 29, 2006 8:54 am

Postby spender » Sun Jun 04, 2006 1:17 pm

Which version of linux and grsecurity are you using?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby voron » Sun Jun 04, 2006 3:15 pm

Code: Select all
cat /etc/*-release
Gentoo Base System version 1.12.0_pre17

Code: Select all
uname -rpm
2.6.16.9-grsec x86_64 AMD Sempron(tm) Processor 2800+
vanilla source from kernel.org
grsecurity-2.1.9-2.6.16.12-200605012018.patch
gradm-2.1.9-200602141850 from gentoo portage
voron
 
Posts: 22
Joined: Mon May 29, 2006 8:54 am

don't know if it helps

Postby voron » Tue Jun 06, 2006 6:54 am

in learn for mysql I have lines like that
Code: Select all
        /[123628]                       r
        /[176549]                       r
        /[229654]                       r
        /[287336]                       r
        /[61052]                        r
        /[621647]                       r
        /[672684]                       r
        /[717276]                       r
maybe globbing like /[*] r will work?
voron
 
Posts: 22
Joined: Mon May 29, 2006 8:54 am

Postby spender » Tue Jun 13, 2006 10:05 pm

I've updated the 2.4.32 patch in ~spender which should resolve this issue. Since filesystems like pipefs, shmfs, and sockfs aren't real filesystems, the RBAC system shouldn't deal with them. The latest patch corrects that. Can you give it a try and verify that it fixes the problem?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby voron » Fri Jun 16, 2006 12:44 am

spender wrote:I've updated the 2.4.32 patch in ~spender which should resolve this issue. Can you give it a try and verify that it fixes the problem?
my server is
Code: Select all
uname -mr
2.6.16.9-grsec x86_64
,so I need 2.6 patch :)
voron
 
Posts: 22
Joined: Mon May 29, 2006 8:54 am

Postby spender » Tue Jul 04, 2006 12:10 am

The latest 2.6.17.3 patch in ~spender includes the peudofs fix. Let me know if it doesn't correct your problem.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron