Why security hole in ACL?

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Why security hole in ACL?

Postby `VL » Fri Jan 05, 2007 3:51 pm

Currently i`m rewriting manally auto-generated ACLs(that works fine, thank you for the great job!) to reduce it`s number, use inheritance and so on.

I tried to put rules the following rule for /dev in role`s root policy
Code: Select all

which means that processes in that role can find /dev directory. As i understood from documentation, no access granted to contents of this directory(it can only be listed).
When i started gradm with such, policy it talled me that there are holes in it, because it allows access to /dev/grsec,/dev/kmem and so. But it actually doesn`t! ( or am i wrong?)

I removed /dev rule from root ACL of role and moved it to subject (bash). After this manipulation i was able to run this policy. I checked that bash can`t red /dev/grsec (ACL system doesn`t allow it, causing Permission denied message).

So, my question is: is that policy check wrong or i misunderstand something?

Thank you for attention and all the job done.
Posts: 28
Joined: Wed Feb 23, 2005 2:11 pm

Postby slimm609 » Sun Apr 01, 2007 6:38 am

where in the policy did you add it? it can be considered a security hole. paste that section of the policy and we can take a look to see what up with it.
Posts: 12
Joined: Sun Apr 01, 2007 6:36 am

Postby `VL » Sun Apr 01, 2007 8:31 am

I`ve published policy files here:

You are interested in file: http://vl409.prohosts.org/grsec/roles/root_acl
Posts: 28
Joined: Wed Feb 23, 2005 2:11 pm

Postby brant » Sun Apr 15, 2007 10:42 am


You should be able to resolve this with the following in your root role:

Code: Select all
/dev/grsec h
/dev/kmem h
/dev/mem h
/dev/port h

This will allow the root role to see /dev, but not allow access to those four areas, which will keep gradm from complaining. =) Hope that helps...
Posts: 9
Joined: Fri Feb 03, 2006 2:35 am
Location: earth, sol

Return to RBAC policy development