RBAC Policy Problems

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

RBAC Policy Problems

Postby h0rbin » Mon Aug 20, 2007 5:54 am

Hi List

I pretty new with GRSecurity!
I just have a system with GRSecurity installed and have now a new application which have to be started at boot time. Th application is based on 5 processes and I tried to figure out the correct RBAC policy. But with no luck :-(

I still get errors because the processes aren't allowed to do a mkdir or mknod.
I just attached you my policy and the logs. All of the policy which is attached is in the default role.

I hope someone can help me.

Thanks a lot in advance.

Regards,
h0rbin

Policy:
subject /var/tool/bin/tool-agentd
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
+CAP_MKNOD
bind 192.168.169.250/32:1514 stream udp
connect 192.168.169.250/32:1514 stream udp

subject /var/tool/bin/tool-logcollector
user_transition_deny xxx
/var/log rd
/var/tool/logs rw
/var/tool/var rwcd
/var/tool/queue/tool/queue rwcd
/dev/log rwcd

subject /var/tool/bin/tool-syscheckd
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/var/tool/queue/tool/queue rwcd
/dev/log rwcd

subject /var/tool/bin/tool-rootcheck
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/var/tool/queue/tool/queue rwcd
/dev/log rwcd

subject /var/tool/bin/tool-control
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/dev/log rwcd
/var/tool/queue/tool/queue rwcd
/bin/mkdir x
+CAP_SYS_TTY_CONFIG
+CAP_SETUID

subject /var/tool/bin/tool-execd
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/dev/log rwcd
/var/tool/queue/tool/queue rwcd
+CAP_MKNOD


Logs:
Aug 20 10:09:37 crash kernelgrsec: (default:D:/sbin/gradm) grsecurity 2.1.10 RBAC system loaded by /sbin/gradm[gradm:6133] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/grsec[S95grsec:6130] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:37 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6182] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:38 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6187] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:40 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6192] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:41 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6197] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:42 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6202] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:43 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6208] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-execd) denied unlink of /var/tool/queue/alerts/execq by /var/tool/bin/tool-execd[tool-execd:6218] uid/euid:0/0 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-execd) denied mknod of /var/tool/queue/alerts/execq by /var/tool/bin/tool-execd[tool-execd:6218] uid/euid:0/0 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-agentd) denied unlink of /var/tool/queue/tool/queue by /var/tool/bin/tool-agentd[tool-agentd:6222] uid/euid:1007/1007 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-agentd) denied mknod of /var/tool/queue/tool/queue by /var/tool/bin/tool-agentd[tool-agentd:6222] uid/euid:1007/1007 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
h0rbin
 
Posts: 1
Joined: Mon Aug 20, 2007 5:53 am

Re: RBAC Policy Problems

Postby brant » Sat Aug 25, 2007 11:44 am

h0rbin wrote:...and have now a new application which have to be started at boot time.

I still get errors because the processes aren't allowed to do a mkdir or mknod.
I just attached you my policy and the logs. All of the policy which is attached is in the default role.

Policy:
subject /var/tool/bin/tool-agentd
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
+CAP_MKNOD
bind 192.168.169.250/32:1514 stream udp
connect 192.168.169.250/32:1514 stream udp

subject /var/tool/bin/tool-logcollector
user_transition_deny xxx
/var/log rd
/var/tool/logs rw
/var/tool/var rwcd
/var/tool/queue/tool/queue rwcd
/dev/log rwcd

subject /var/tool/bin/tool-syscheckd
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/var/tool/queue/tool/queue rwcd
/dev/log rwcd

subject /var/tool/bin/tool-rootcheck
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/var/tool/queue/tool/queue rwcd
/dev/log rwcd

subject /var/tool/bin/tool-control
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/dev/log rwcd
/var/tool/queue/tool/queue rwcd
/bin/mkdir x
+CAP_SYS_TTY_CONFIG
+CAP_SETUID

subject /var/tool/bin/tool-execd
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/dev/log rwcd
/var/tool/queue/tool/queue rwcd
+CAP_MKNOD


Logs:
Aug 20 10:09:37 crash kernelgrsec: (default:D:/sbin/gradm) grsecurity 2.1.10 RBAC system loaded by /sbin/gradm[gradm:6133] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/grsec[S95grsec:6130] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:37 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6182] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:38 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6187] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:40 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6192] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:41 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6197] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:42 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6202] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:43 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6208] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-execd) denied unlink of /var/tool/queue/alerts/execq by /var/tool/bin/tool-execd[tool-execd:6218] uid/euid:0/0 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-execd) denied mknod of /var/tool/queue/alerts/execq by /var/tool/bin/tool-execd[tool-execd:6218] uid/euid:0/0 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-agentd) denied unlink of /var/tool/queue/tool/queue by /var/tool/bin/tool-agentd[tool-agentd:6222] uid/euid:1007/1007 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-agentd) denied mknod of /var/tool/queue/tool/queue by /var/tool/bin/tool-agentd[tool-agentd:6222] uid/euid:1007/1007 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


There is no user role defined to allow these processes to run, which is why they're stuck in the default role. The default role generally has absolutely no permissions at all. Whatever uid 1007 maps to on your system needs to have a user role set up with these subjects beneath it.

I'd suggest disabling the program, as well as your grsec init script, from running at boot. Then, enable learning mode (e.g. gradm -F -L learning.log). With learning mode activated, run your application as uid 1007. This should generate a user role with the appropriate subjects.
brant
 
Posts: 9
Joined: Fri Feb 03, 2006 2:35 am
Location: earth, sol

Postby ralphy » Wed Aug 29, 2007 6:51 pm

The denied 'mkdir's are fixable by giving the 'w' flag to the area it needs writing in, I believe. The denied unlinks can be remedied, afaik, by giving the object 'cdl' flags:

Code: Select all
# configuration inheritance
#
# new object modes:
# c -> allow creation of the file/directory
# d -> allow deletion of the file/directory
# l -> allow a hardlink at this path
#       (hardlinking requires at a minimum c and l modes, and the target
#        link cannot have any greater permission than the source file)

Again, however, I'm relatively sure this is how to fix something like this and that's the best I can say given my personal experience with Rbac. If it doesn't work, you may be better off waiting for somebody with more experience to provide a fix. Hope you get it worked out!
ralphy
 
Posts: 52
Joined: Wed Jan 11, 2006 12:51 pm

Postby spender » Thu Sep 06, 2007 5:05 pm

To remove a file, write and delete ("wd") flags are necessary. Unlink (delete) here has nothing to do with the creation of hardlinks, so the "l" flag should not be used.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron