Strange denials while switching from 2.6.20 to 2.6.21

Submit your RBAC policies or suggest policy improvements

Strange denials while switching from 2.6.20 to 2.6.21

Postby Dwokfur » Wed Jun 27, 2007 12:00 am

I've upgraded recently from 2.6.20-hardened-r2 to 2.6.21-hardened-r3.
Besides my sn9c102 webcam stopped working giving -ENOSPC in usb_submit_urb (aaarrgh - reported upstream), there were some lovely denials showed up.
In the mean time I've added some rules to fine-tune my laptop using the information provided by powertop.
There were denies writing /sys/module/snd_ac97_codec/parameters/power and /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor. First I thought it was a trivial mistake, but I couldn't get rid of these. While shutting down my computer I saw two more denials while the system tried to flush the routing table (/proc/sys/net/ipv4/route/flush - by /sbin/ip). These two were suprising, because I didn't touched that rule. I've double checked the whole policy for missing brackets.
Things got stranger, when I've noticed that one other machine I've upgraded showed exactly similar denials.
Now I booted 2.6.20 again, and saw, that everything is normal! The symptom is absolutely reproducible. Whenever I boot the former kernel the denials disappear, while after booting the latter they return.

My question would be:
Were there any changes regarding the handling of /proc and /sys directories between grsec-2.1.10-2.6.20.6-200704091818 and grsec-2.1.10-2.6.21.1-200705221918?

If not: are there any hints on my problem? I'm using dazuko, which is enabled only on some user's directory and working fine along with clamav's clamuko.

Regards,
Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am

Postby zakalwe » Wed Jun 27, 2007 12:24 pm

There were changes to mainline that made the /proc/sys inodes dynamic. I'm pretty sure spender fixed the rbac breakage in /proc/sys in recent test patches. Perhaps the /sys filesystem is broke in the same way.
zakalwe
 
Posts: 22
Joined: Mon Jul 10, 2006 9:40 am

Postby Dwokfur » Thu Jun 28, 2007 11:21 am

zakalwe wrote:There were changes to mainline that made the /proc/sys inodes dynamic. I'm pretty sure spender fixed the rbac breakage in /proc/sys in recent test patches. Perhaps the /sys filesystem is broke in the same way.


Thanks for your comment.
It would be good to hear Spender's opinion about this.

Regards,
Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am

Postby spender » Thu Jun 28, 2007 4:41 pm

There were changes regarding the handling of /proc/sys which have been fixed in more current patches. I've not heard of any other reports of problems with /sys, but I'll look into it.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Dwokfur » Sat Jun 30, 2007 11:15 am

spender wrote:There were changes regarding the handling of /proc/sys which have been fixed in more current patches. I've not heard of any other reports of problems with /sys, but I'll look into it.

-Brad


Thx, Brad.

Regards,
Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am


Return to RBAC policy development