gradm: role root can view /etc/grsec; me: cannot!

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

gradm: role root can view /etc/grsec; me: cannot!

Postby skylerb » Wed Nov 15, 2006 3:43 pm

I am having problems configuring my first grsec RBAC policy. I have used full learning mode to generate the policy, edited it in a few places, but cannot use it due to the following error:

Code: Select all
achilles grsec # gradm -E
Viewing access is allowed by role root to /etc/grsec, the directory which stores RBAC policies and RBAC password information.

There were 1 holes found in your RBAC configuration.  These must be fixed before the RBAC system will be allowed to be enabled.


I have looked everywhere in the policy for evidence of this, but cannot find the ACL it is referring to (I admittedly don't understand the configuration syntax very well). Here is a grep of the file for references to /etc/grsec:

Code: Select all
achilles grsec # grep /etc/grsec policy
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h
        /etc/grsec                      h


Every reference to that directory has the hidden flag, and no read/write flag, so I am not sure why I am getting this message. Here is the beginning of my policy:

Code: Select all
role default
subject / {
        /                               h
        -CAP_ALL
        connect disabled
        bind    disabled
}

role root uG
role_allow_ip   0.0.0.0/32
role_allow_ip   10.2.0.241/32
subject /  {
        /
        /lib                            rx
        /bin                            x
        /dev
        /dev/null                       rw
        /dev/tty                        rw
        /dev/urandom                    r
        /dev/grsec                      h
        /dev/mem                        h
        /dev/kmem                       h
        /dev/port                       h
        /dev/log                        h
        /etc                            rx
        /etc/ssh                        h
        /etc/shadow                     h
        /etc/shadow-                    h
        /etc/gshadow                    h
        /etc/gshadow-                   h
        /etc/ppp/chap-secrets           h
        /etc/ppp/pap-secrets            h
        /etc/samba/smbpasswd            h
        /proc                           r
        /proc/kcore                     h
        /proc/bus                       h
        /usr
        /usr/i686-pc-linux-gnu          h
        /usr/i686-pc-linux-gnu/binutils-bin/2.16.1/strings      x
        /usr/i686-pc-linux-gnu/gcc-bin/3.3/gcc  x
        /usr/sbin                       h
        /usr/sbin/run-crons             r
        /usr/sbin/syslog-ng
        /usr/bin                        rx
        /usr/include                    r
        /usr/lib                        rx
        /usr/share                      r
        /var
        /var/spool                      h
        /var/spool/cron                 h
        /var/spool/cron/lastrun
        /var/cache
        /var/cache/edb
        /var/tmp                        r
        /sys                            h
        -CAP_ALL
        bind    disabled
        connect disabled
}
...


Any help would be greatly appreciated.
skylerb
 
Posts: 2
Joined: Wed Nov 15, 2006 3:15 pm
Location: AZ, USA

Re: gradm: role root can view /etc/grsec; me: cannot!

Postby Kp » Fri Nov 17, 2006 11:45 pm

Your / subject in the root role has read+execute access on /etc. Since you did not specify a more specific match for /etc/grsec, it inherits read+execute from /etc.. Your /etc/ssh directory is properly hidden. Add a corresponding line for /etc/grsec and try again.
Kp
 
Posts: 46
Joined: Tue Sep 20, 2005 12:56 am

Postby skylerb » Mon Nov 20, 2006 11:24 am

Thank you very much, that did the trick. I thought I had tried that, but apparently I had not.
skylerb
 
Posts: 2
Joined: Wed Nov 15, 2006 3:15 pm
Location: AZ, USA


Return to RBAC policy development