default subject learning question

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

default subject learning question

Postby sadm » Thu Jun 05, 2008 4:12 am

First of all, big thanks to grsecurity team, you are doing a great job!

I have a question, related to learning for / subject, will try to explain: First of all, I had runned full learning for a while, generated policy (gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy). Then I enabled grsecurity (gradm -E) and looked for errors in /var/log/grsec.log, such as

Code: Select all
Jun  1 11:40:16 mail grsec: From xx.xx.xx.xx: (vpopmail:U:/usr/libexec/dovecot/imap) denied access to hidden file /usr/lib/gconv/gconv-modules.cache by /usr/libexec/dovecot/imap[imap:29212] uid/euid:89/89 gid/egid:89/89, parent /usr/sbin/dovecot[dovecot:32344] uid/euid:0/0 gid/egid:0/0
Jun  1 11:40:16 mail grsec: From xx.xx.xx.xx: (vpopmail:U:/usr/libexec/dovecot/imap) denied access to hidden file /usr/lib/gconv/gconv-modules by /usr/libexec/dovecot/imap[imap:29212] uid/euid:89/89 gid/egid:89/89, parent /usr/sbin/dovecot[dovecot:32344] uid/euid:0/0 gid/egid:0/0


For each of seen errors I had edit /etc/grsec/policy and enabled learning (ol in subject), for example:

Code: Select all
role vpopmail u
...

subject /usr/libexec/dovecot/imap ol {
user_transition_allow root vpopmail
group_transition_allow vpopmail

        /                               h
        /dev                            h
        /dev/urandom                    r
        /etc                            h
        /etc/ld.so.cache                r
        /lib                            h
        /lib/ld-2.6.1.so                x
        /lib/libc-2.6.1.so              rx
        /lib/libdl-2.6.1.so             rx
        /usr                            h
        /usr/lib/dovecot/imap
        /usr/lib/dovecot/imap/lib11_imap_quota_plugin.so        rx
        /usr/lib/dovecot/lib10_quota_plugin.so  rx
        /usr/libexec/dovecot/imap       x
        -CAP_ALL
        +CAP_SETGID
        +CAP_SETUID
        bind    disabled
        connect disabled
}


And then I rerunned grsecurity in learning mode (gradm -D; gradm -L /etc/grsec/learning.logs -E). After some time I stopped grsecurity and runned learing (gradm -D; gradm -L /etc/grsec/learning.logs -O newpolicy). After this in file "newpolicy" I have new subjects for my learning enabled subjects from /etc/grsec/policy and new default subject for each of roles where I have learning enabled subjects. For example, my /etc/grsec/policy file contains this default subject for root role:

Code: Select all
subject / O {
        /
        /bin                            x
        /boot                           h
        /dev
        /dev/grsec                      h
        /dev/kmem                       h
        /dev/log                        h
        /dev/mem                        h
        /dev/null                       w
        /dev/port                       h
        /dev/tty                        rw
        /dev/urandom                    r
        /etc                            rx
        /etc/grsec                      h
        /etc/ssh                        h
        /etc/passwd                     h
        /etc/shadow                     h
        /etc/shadow-                    h
        /home                           h
        /home/sadm
        /home/sadm/.bash_history        rw
        /home/sadm/.bash_logout         r
        /home/sadm/.bash_profile        r
        /home/sadm/.bashrc              r
        /lib                            rx
        /proc                           r
        /proc/bus                       h
        /proc/kcore                     h
        /proc/sys                       h
        /sbin                           h
        /sbin/gradm                     x
        /sys                            h
        /usr
        /usr/bin                        x
        /usr/lib                        rx
        /usr/lib/gconv/gconv-modules.cache      r
        /usr/lib/sa
        /usr/lib/sa/sa1                 rx
        /usr/lib/sa/sa2                 x
        /usr/lib/sa/sadc                x
        /usr/sbin                       h
        /usr/sbin/run-crons             rx
        /usr/src                        h
        /var                            h
        /var/log                        h
        /var/log/sa                     r
        /var/qmail                      rx
        /var/run
        /var/spool
        /var/spool/cron                 h
        /var/spool/cron/lastrun
        /var/vpopmail                   h
        /var/vpopmail/bin               x
        /var/vpopmail/bin/vdeluser      rx
        /var/vpopmail/bin/vdominfo      rx
        /var/vpopmail/bin/vsetuserquota rx
        -CAP_ALL
        +CAP_KILL
        +CAP_SETGID
        +CAP_SETUID
        +CAP_SYS_CHROOT
        bind    disabled
        connect 0.0.0.0/32:22 dgram igmp
        connect 127.0.0.1/32:53 dgram igmp
}


and in "newpolicy" I have this one:

Code: Select all
###  THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE USER ROLE "root" ###
subject / O {
user_transition_allow root
group_transition_allow root locate

        /                               r
        /bin                            rxi
        /boot                           h
        /dev
        /dev/.udev                      r
        /dev/grsec                      h
        /dev/kmem                       h
        /dev/log                        rw
        /dev/mem                        h
        /dev/null                       rw
        /dev/port                       h
        /dev/tty                        rw
        /dev/tty12                      w
        /dev/urandom                    r
        /etc                            rx
        /etc/grsec                      h
        /etc/ssh                        h
        /etc/passwd                     h
        /etc/shadow                     h
        /etc/shadow-                    h
        /etc/gshadow                    h
        /home                           r
        /home/.keep
        /lib                            rxi
        /lost+found
        /mnt                            r
        /mnt/cdrom
        /mnt/cdrom/.keep                r
        /mnt/floppy
        /mnt/floppy/.keep               r
        /opt
        /opt/.keep                      r
        /proc                           r
        /proc/bus/usb
        /proc/kcore                     h
        /proc/sys                       h
        /service
        /sys
        /tmp                            rwcd
        /usr                            r
        /usr/bin                        rxi
        /usr/i386-pc-linux-gnu          r
        /usr/i386-pc-linux-gnu/bin
        /usr/i386-pc-linux-gnu/lib
        /usr/lib                        rxi
        /usr/local                      rw
        /usr/sbin                       rxi
        /usr/sbin/syslog-ng             rx
        /usr/share                      rw
        /usr/src                        h
        /var                            r
        /var/bind                       r
        /var/bind/pri
        /var/bind/sec
        /var/empty
        /var/lib                        rwcd
        /var/lock                       r
        /var/lock/.keep
        /var/lock/subsys
        /var/log                        wc
        /var/mail
        /var/spool                      h
        /var/spool/mail
        /var/state
        /var/tmp                        rwcd
        +CAP_ALL
        bind    disabled
        connect 127.0.0.1/32:53 dgram igmp
}


When I try to replace default policy in /etc/grsec/policy by new one, starting grsecurity produces errors like a

Code: Select all
Warning: write access is allowed to your subject for /usr/local/sbin/vpopmail-block-minus.pl in role root.  Please ensure that the subject is running with less privilege than the default subject.
Warning: write access is allowed to your subject for /usr/local/sbin/vpopmail-rpc.pl in role root.  Please ensure that the subject is running with less privilege than the default subject.
Writing access is allowed by role root to /dev/log.  This could in some cases allow an attacker to spoof syslog warnings on your system.

CAP_SYS_MODULE, CAP_SYS_RAWIO, and CAP_MKNOD are all not removed in role root.  This would allow an attacker to modify the kernel by means of a module or corrupt devices on your system.

CAP_SYS_ADMIN is not removed in role root.  This would allow an attacker to mount filesystems to bypass your policies

CAP_SYS_BOOT is not removed in role root.  This would allow an attacker to reboot the system.

CAP_NET_ADMIN is not removed for role root.  This would allow an attacker to modify your firewall configuration or redirect private information

CAP_NET_BIND_SERVICE is not removed for role root.  This would allow an attacker (if he can kill a network daemon) to launch a trojaned daemon that could steal privileged information

CAP_SYS_TTY_CONFIG is not removed for role root.  This would allow an attacker to hijack terminals of privileged processes

Write access is allowed by role root to /usr/local/sbin, a directory which holds binaries for your system and is included in the PATH environment variable.

Write access is allowed by role root to /usr/local/lib, a directory which holds libraries for your system and is included in /etc/ld.so.conf.

There were 9 holes found in your RBAC configuration.  These must be fixed before the RBAC system will be allowed to be enabled.


And If I don't modify default policy - grsecurity blocks learned subjects. How I should solve this problem?
sadm
 
Posts: 5
Joined: Thu Jun 05, 2008 3:15 am

Re: default subject learning question

Postby sadm » Tue Jun 10, 2008 9:43 am

OK, I've merged learned and existent subjects and it seems to work now.
sadm
 
Posts: 5
Joined: Thu Jun 05, 2008 3:15 am

Re: default subject learning question

Postby spender » Thu Jun 19, 2008 3:34 pm

The uppercase "O" in your subject modes, did you add those yourself?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: default subject learning question

Postby sadm » Fri Jun 20, 2008 6:16 am

No, they were added during learning phases. I've examined other servers and found sometimes it's lowercase "o" and sometimes it's uppercase "O".
sadm
 
Posts: 5
Joined: Thu Jun 05, 2008 3:15 am

Re: default subject learning question

Postby spender » Fri Jun 20, 2008 8:24 am

Are the machines showing the uppercase "O" running the latest grsec/gradm? What version are they using if not?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: default subject learning question

Postby sadm » Mon Jun 23, 2008 1:51 am

2 gentoo servers, gradm 2.1.11.200804142058, kernels are 2.6.23-hardened-r12 and 2.6.23-hardened-r9. Will upgrade one of them to the latest versions, rerun learning phase and post results here.
sadm
 
Posts: 5
Joined: Thu Jun 05, 2008 3:15 am

Re: default subject learning question

Postby spender » Mon Jun 23, 2008 5:19 pm

Quick question, since I looked through the code for gradm a bit yesterday and spotted something that may have caused the problem. Do the uppercase "O"s only appear in the mode for subjects for "/" ? If this is the case, I'll have a fix merged tonight.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: default subject learning question

Postby sadm » Tue Jun 24, 2008 1:16 am

Yes, it appears only in "/" subjects. Brad, thank you for help and for this greatest project!
sadm
 
Posts: 5
Joined: Thu Jun 05, 2008 3:15 am

Re: default subject learning question

Postby spender » Tue Jun 24, 2008 5:25 pm

I committed the following fix to CVS:
http://cvsweb.grsecurity.net/index.cgi/ ... 83;r2=1.85
Try applying it on your end; it should solve the problem.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron