Page 1 of 1

RBAC Policy Problems

PostPosted: Mon Aug 20, 2007 5:54 am
by h0rbin
Hi List

I pretty new with GRSecurity!
I just have a system with GRSecurity installed and have now a new application which have to be started at boot time. Th application is based on 5 processes and I tried to figure out the correct RBAC policy. But with no luck :-(

I still get errors because the processes aren't allowed to do a mkdir or mknod.
I just attached you my policy and the logs. All of the policy which is attached is in the default role.

I hope someone can help me.

Thanks a lot in advance.

Regards,
h0rbin

Policy:
subject /var/tool/bin/tool-agentd
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
+CAP_MKNOD
bind 192.168.169.250/32:1514 stream udp
connect 192.168.169.250/32:1514 stream udp

subject /var/tool/bin/tool-logcollector
user_transition_deny xxx
/var/log rd
/var/tool/logs rw
/var/tool/var rwcd
/var/tool/queue/tool/queue rwcd
/dev/log rwcd

subject /var/tool/bin/tool-syscheckd
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/var/tool/queue/tool/queue rwcd
/dev/log rwcd

subject /var/tool/bin/tool-rootcheck
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/var/tool/queue/tool/queue rwcd
/dev/log rwcd

subject /var/tool/bin/tool-control
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/dev/log rwcd
/var/tool/queue/tool/queue rwcd
/bin/mkdir x
+CAP_SYS_TTY_CONFIG
+CAP_SETUID

subject /var/tool/bin/tool-execd
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/dev/log rwcd
/var/tool/queue/tool/queue rwcd
+CAP_MKNOD


Logs:
Aug 20 10:09:37 crash kernelgrsec: (default:D:/sbin/gradm) grsecurity 2.1.10 RBAC system loaded by /sbin/gradm[gradm:6133] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/grsec[S95grsec:6130] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:37 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6182] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:38 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6187] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:40 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6192] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:41 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6197] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:42 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6202] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:43 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6208] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-execd) denied unlink of /var/tool/queue/alerts/execq by /var/tool/bin/tool-execd[tool-execd:6218] uid/euid:0/0 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-execd) denied mknod of /var/tool/queue/alerts/execq by /var/tool/bin/tool-execd[tool-execd:6218] uid/euid:0/0 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-agentd) denied unlink of /var/tool/queue/tool/queue by /var/tool/bin/tool-agentd[tool-agentd:6222] uid/euid:1007/1007 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-agentd) denied mknod of /var/tool/queue/tool/queue by /var/tool/bin/tool-agentd[tool-agentd:6222] uid/euid:1007/1007 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Re: RBAC Policy Problems

PostPosted: Sat Aug 25, 2007 11:44 am
by brant
h0rbin wrote:...and have now a new application which have to be started at boot time.

I still get errors because the processes aren't allowed to do a mkdir or mknod.
I just attached you my policy and the logs. All of the policy which is attached is in the default role.

Policy:
subject /var/tool/bin/tool-agentd
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
+CAP_MKNOD
bind 192.168.169.250/32:1514 stream udp
connect 192.168.169.250/32:1514 stream udp

subject /var/tool/bin/tool-logcollector
user_transition_deny xxx
/var/log rd
/var/tool/logs rw
/var/tool/var rwcd
/var/tool/queue/tool/queue rwcd
/dev/log rwcd

subject /var/tool/bin/tool-syscheckd
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/var/tool/queue/tool/queue rwcd
/dev/log rwcd

subject /var/tool/bin/tool-rootcheck
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/var/tool/queue/tool/queue rwcd
/dev/log rwcd

subject /var/tool/bin/tool-control
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/dev/log rwcd
/var/tool/queue/tool/queue rwcd
/bin/mkdir x
+CAP_SYS_TTY_CONFIG
+CAP_SETUID

subject /var/tool/bin/tool-execd
user_transition_deny xxx
/var/tool/logs rw
/var/tool/var rwcd
/dev/log rwcd
/var/tool/queue/tool/queue rwcd
+CAP_MKNOD


Logs:
Aug 20 10:09:37 crash kernelgrsec: (default:D:/sbin/gradm) grsecurity 2.1.10 RBAC system loaded by /sbin/gradm[gradm:6133] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/grsec[S95grsec:6130] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:37 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6182] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:38 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6187] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:40 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6192] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:41 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6197] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:42 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6202] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:43 crash kernelgrsec: (default:D:/bin) denied mkdir of /var/tool/var/start-script-lock by /bin/mkdir[mkdir:6208] uid/euid:0/0 gid/egid:0/0, parent /var/tool/bin/tool-control[tool-control:6178] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-execd) denied unlink of /var/tool/queue/alerts/execq by /var/tool/bin/tool-execd[tool-execd:6218] uid/euid:0/0 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-execd) denied mknod of /var/tool/queue/alerts/execq by /var/tool/bin/tool-execd[tool-execd:6218] uid/euid:0/0 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-agentd) denied unlink of /var/tool/queue/tool/queue by /var/tool/bin/tool-agentd[tool-agentd:6222] uid/euid:1007/1007 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 20 10:09:44 crash kernelgrsec: (default:D:/var/tool/bin/tool-agentd) denied mknod of /var/tool/queue/tool/queue by /var/tool/bin/tool-agentd[tool-agentd:6222] uid/euid:1007/1007 gid/egid:1008/1008, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


There is no user role defined to allow these processes to run, which is why they're stuck in the default role. The default role generally has absolutely no permissions at all. Whatever uid 1007 maps to on your system needs to have a user role set up with these subjects beneath it.

I'd suggest disabling the program, as well as your grsec init script, from running at boot. Then, enable learning mode (e.g. gradm -F -L learning.log). With learning mode activated, run your application as uid 1007. This should generate a user role with the appropriate subjects.

PostPosted: Wed Aug 29, 2007 6:51 pm
by ralphy
The denied 'mkdir's are fixable by giving the 'w' flag to the area it needs writing in, I believe. The denied unlinks can be remedied, afaik, by giving the object 'cdl' flags:

Code: Select all
# configuration inheritance
#
# new object modes:
# c -> allow creation of the file/directory
# d -> allow deletion of the file/directory
# l -> allow a hardlink at this path
#       (hardlinking requires at a minimum c and l modes, and the target
#        link cannot have any greater permission than the source file)

Again, however, I'm relatively sure this is how to fix something like this and that's the best I can say given my personal experience with Rbac. If it doesn't work, you may be better off waiting for somebody with more experience to provide a fix. Hope you get it worked out!

PostPosted: Thu Sep 06, 2007 5:05 pm
by spender
To remove a file, write and delete ("wd") flags are necessary. Unlink (delete) here has nothing to do with the creation of hardlinks, so the "l" flag should not be used.

-Brad