Shutdown role does not work on Debian Wheezy

Submit your RBAC policies or suggest policy improvements

Shutdown role does not work on Debian Wheezy

Postby daedalus » Sun Feb 12, 2012 2:57 pm

Hello, the default shutdown policy for RBAC seems to fail under some configurations (namely debian wheezy). Trying to reboot the machine will leave it unusable and it tries to ask root password for maintenance. By reading the kernel log it looks like the shutdown role is applied, somewhat, but is then dropped?

Code: Select all
[   74.263359] grsec: (root:U:/sbin/gradm) grsecurity 2.2.2 RBAC system loaded by /sbin/gradm[gradm:1501] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1495] uid/euid:0/0 gid/egid:0/0
[   82.103358] grsec: (root:U:/sbin/gradm) successful change to special role shutdown (id 1) by /sbin/gradm[gradm:1502] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1495] uid/euid:0/0 gid/egid:0/0
[   86.002689] grsec: (root:U:/sbin/init) denied connect() to the unix domain socket /dev/log by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[   86.003172] grsec: (root:U:/sbin/init) use of CAP_SYS_TTY_CONFIG denied for /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[   86.003182] grsec: (root:U:/sbin/init) use of CAP_SYS_TTY_CONFIG denied for /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[   86.003191] grsec: (root:U:/sbin/init) use of CAP_SYS_TTY_CONFIG denied for /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[   86.003202] grsec: (root:U:/sbin/init) use of CAP_SYS_TTY_CONFIG denied for /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[   86.003212] grsec: (root:U:/sbin/init) use of CAP_SYS_TTY_CONFIG denied for /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[   86.005364] grsec: (shutdown:S:/) denied open of /root/.bash_history for appending by /bin/bash[bash:1495] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[   86.005624] grsec: (shutdown:S:/) denied open of /root/.bash_history for reading by /bin/bash[bash:1495] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[   87.008750] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/stty[stty:1516] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rc[rc:1515] uid/euid:0/0 gid/egid:0/0
[   87.009007] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/stty[stty:1516] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rc[rc:1515] uid/euid:0/0 gid/egid:0/0
[   87.009247] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/stty[stty:1516] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rc[rc:1515] uid/euid:0/0 gid/egid:0/0
[   87.009488] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/stty[stty:1516] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rc[rc:1515] uid/euid:0/0 gid/egid:0/0
[   87.009727] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/stty[stty:1516] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rc[rc:1515] uid/euid:0/0 gid/egid:0/0
[   87.031561] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/startpar[startpar:1518] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rc[rc:1515] uid/euid:0/0 gid/egid:0/0
[   87.033949] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /etc/init.d/ebtables[ebtables:1519] uid/euid:0/0 gid/egid:0/0, parent /sbin/startpar[startpar:1518] uid/euid:0/0 gid/egid:0/0
[   87.042927] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/grep[grep:1521] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/ebtables[ebtables:1519] uid/euid:0/0 gid/egid:0/0
[   87.043481] grsec: (root:U:/) use of CAP_NET_RAW denied for /sbin/ebtables[ebtables:1520] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/ebtables[ebtables:1519] uid/euid:0/0 gid/egid:0/0
[   87.045063] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/echo[echo:1522] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/ebtables[ebtables:1519] uid/euid:0/0 gid/egid:0/0
[   87.074397] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /etc/init.d/ebtables[ebtables:1519] uid/euid:0/0 gid/egid:0/0, parent /sbin/startpar[startpar:1518] uid/euid:0/0 gid/egid:0/0
[   87.108149] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1525] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/ebtables[ebtables:1519] uid/euid:0/0 gid/egid:0/0
[   87.138759] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1525] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/ebtables[ebtables:1519] uid/euid:0/0 gid/egid:0/0
[   87.171171] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1526] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/ebtables[ebtables:1519] uid/euid:0/0 gid/egid:0/0
[   87.202604] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1526] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/ebtables[ebtables:1519] uid/euid:0/0 gid/egid:0/0
[   87.235994] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1527] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/ebtables[ebtables:1519] uid/euid:0/0 gid/egid:0/0
[   87.268573] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1527] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/ebtables[ebtables:1519] uid/euid:0/0 gid/egid:0/0
[   87.302537] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/echo[echo:1528] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/ebtables[ebtables:1519] uid/euid:0/0 gid/egid:0/0
[   87.355674] grsec: (root:U:/) denied create of /var/lib/libvirt/libvirt-guests for writing by /etc/init.d/libvirt-guests[libvirt-guests:1529] uid/euid:0/0 gid/egid:0/0, parent /sbin/startpar[startpar:1518] uid/euid:0/0 gid/egid:0/0
[   87.408459] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/echo[echo:1533] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/libvirt-bin[libvirt-bin:1532] uid/euid:0/0 gid/egid:0/0
[   87.446375] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/echo[echo:1540] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/libvirt-bin[libvirt-bin:1532] uid/euid:0/0 gid/egid:0/0
[   87.481178] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /etc/init.d/libvirt-bin[libvirt-bin:1532] uid/euid:0/0 gid/egid:0/0, parent /sbin/startpar[startpar:1518] uid/euid:0/0 gid/egid:0/0
[   87.518923] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1543] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/libvirt-bin[libvirt-bin:1532] uid/euid:0/0 gid/egid:0/0
[   87.554020] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1543] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/libvirt-bin[libvirt-bin:1532] uid/euid:0/0 gid/egid:0/0
[   87.590073] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1544] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/libvirt-bin[libvirt-bin:1532] uid/euid:0/0 gid/egid:0/0
[   87.624818] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1544] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/libvirt-bin[libvirt-bin:1532] uid/euid:0/0 gid/egid:0/0
[   87.660459] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1545] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/libvirt-bin[libvirt-bin:1532] uid/euid:0/0 gid/egid:0/0
[   87.694851] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1545] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/libvirt-bin[libvirt-bin:1532] uid/euid:0/0 gid/egid:0/0
[   87.777824] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/echo[echo:1549] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.813271] grsec: (root:U:/) denied send of signal 19 to protected task /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.864130] grsec: (root:U:/) denied send of signal 19 to protected task /sbin/udevd[udevd:380] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.898126] grsec: (root:U:/) denied send of signal 19 to protected task /sbin/udevd[udevd:381] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.931991] grsec: (root:U:/) denied send of signal 19 to protected task /usr/sbin/rsyslogd[rsyslogd:1242] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.932021] grsec: (root:U:/) denied send of signal 19 to protected task /usr/sbin/acpid[acpid:1256] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.932044] grsec: (root:U:/) denied send of signal 19 to protected task /usr/sbin/cron[cron:1282] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.932067] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.932086] grsec: (root:U:/) denied send of signal 19 to protected task /usr/sbin/libvirtd[libvirtd:1307] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.932107] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.932126] grsec: (root:U:/) denied send of signal 19 to protected task /usr/sbin/sshd[sshd:1378] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.932146] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.932162] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933391] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933401] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933413] grsec: (root:U:/) denied send of signal 15 to protected task /usr/sbin/sshd[sshd:1378] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933424] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933436] grsec: (root:U:/) denied send of signal 15 to protected task /usr/sbin/libvirtd[libvirtd:1307] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933446] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933458] grsec: (root:U:/) denied send of signal 15 to protected task /usr/sbin/cron[cron:1282] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933471] grsec: (root:U:/) denied send of signal 15 to protected task /usr/sbin/acpid[acpid:1256] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933484] grsec: (root:U:/) denied send of signal 15 to protected task /sbin/udevd[udevd:381] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933497] grsec: (root:U:/) denied send of signal 15 to protected task /sbin/udevd[udevd:380] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933509] grsec: (root:U:/) denied send of signal 15 to protected task /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933541] grsec: (root:U:/) denied send of signal 18 to protected task /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   87.933545] grsec: more alerts, logging disabled for 10 seconds
[   98.990429] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/echo[echo:1575] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.017457] grsec: (root:U:/) denied send of signal 19 to protected task /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.056079] grsec: (root:U:/) denied send of signal 19 to protected task /sbin/udevd[udevd:380] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.082259] grsec: (root:U:/) denied send of signal 19 to protected task /sbin/udevd[udevd:381] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.108476] grsec: (root:U:/) denied send of signal 19 to protected task /usr/sbin/rsyslogd[rsyslogd:1242] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.134640] grsec: (root:U:/) denied send of signal 19 to protected task /usr/sbin/acpid[acpid:1256] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.160703] grsec: (root:U:/) denied send of signal 19 to protected task /usr/sbin/cron[cron:1282] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.186743] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.212540] grsec: (root:U:/) denied send of signal 19 to protected task /usr/sbin/libvirtd[libvirtd:1307] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.238524] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.264349] grsec: (root:U:/) denied send of signal 19 to protected task /usr/sbin/sshd[sshd:1378] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.290276] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.316042] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.342876] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.368693] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.394501] grsec: (root:U:/) denied send of signal 9 to protected task /usr/sbin/sshd[sshd:1378] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.420553] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.446491] grsec: (root:U:/) denied send of signal 9 to protected task /usr/sbin/libvirtd[libvirtd:1307] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.472661] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.498633] grsec: (root:U:/) denied send of signal 9 to protected task /usr/sbin/cron[cron:1282] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.524919] grsec: (root:U:/) denied send of signal 9 to protected task /usr/sbin/acpid[acpid:1256] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.551298] grsec: (root:U:/) denied send of signal 9 to protected task /sbin/udevd[udevd:381] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.578129] grsec: (root:U:/) denied send of signal 9 to protected task /sbin/udevd[udevd:380] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.605572] grsec: (root:U:/) denied send of signal 9 to protected task /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.633770] grsec: (root:U:/) denied send of signal 18 to protected task /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.662840] grsec: (root:U:/) denied send of signal 18 to protected task /sbin/udevd[udevd:380] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.692759] grsec: (root:U:/) denied send of signal 18 to protected task /sbin/udevd[udevd:381] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.723552] grsec: (root:U:/) denied send of signal 18 to protected task /usr/sbin/rsyslogd[rsyslogd:1242] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.755174] grsec: (root:U:/) denied send of signal 18 to protected task /usr/sbin/acpid[acpid:1256] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.787100] grsec: (root:U:/) denied send of signal 18 to protected task /usr/sbin/cron[cron:1282] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.819515] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.852381] grsec: (root:U:/) denied send of signal 18 to protected task /usr/sbin/libvirtd[libvirtd:1307] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.885604] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.885626] grsec: (root:U:/) denied send of signal 18 to protected task /usr/sbin/sshd[sshd:1378] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.885637] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.885646] grsec: (root:U:/) use of CAP_KILL denied for /sbin/killall5[killall5:1576] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.920122] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0, parent /sbin/startpar[startpar:1518] uid/euid:0/0 gid/egid:0/0
[   99.923361] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1579] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.923381] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1579] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.924478] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1580] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.924496] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1580] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[   99.925237] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/echo[echo:1581] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0
[  100.237095] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/echo[echo:1583] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rsyslog[rsyslog:1582] uid/euid:0/0 gid/egid:0/0
[  100.271014] grsec: (root:U:/) denied send of signal 15 to protected task /usr/sbin/rsyslogd[rsyslogd:1242] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/start-stop-daemon[start-stop-daem:1584] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rsyslog[rsyslog:1582] uid/euid:0/0 gid/egid:0/0
[  100.337650] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/echo[echo:1585] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rsyslog[rsyslog:1582] uid/euid:0/0 gid/egid:0/0
[  100.370448] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /etc/init.d/rsyslog[rsyslog:1582] uid/euid:0/0 gid/egid:0/0, parent /sbin/startpar[startpar:1518] uid/euid:0/0 gid/egid:0/0
[  100.406215] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1588] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rsyslog[rsyslog:1582] uid/euid:0/0 gid/egid:0/0
[  100.439040] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1588] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rsyslog[rsyslog:1582] uid/euid:0/0 gid/egid:0/0
[  100.472941] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1589] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rsyslog[rsyslog:1582] uid/euid:0/0 gid/egid:0/0
[  100.505801] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1589] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rsyslog[rsyslog:1582] uid/euid:0/0 gid/egid:0/0
[  100.539579] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1590] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rsyslog[rsyslog:1582] uid/euid:0/0 gid/egid:0/0
[  100.572548] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /usr/bin/tput[tput:1590] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/rsyslog[rsyslog:1582] uid/euid:0/0 gid/egid:0/0
[  100.623886] grsec: (root:U:/) denied access of /etc/adjtime for writing by /etc/init.d/hwclock.sh[hwclock.sh:1591] uid/euid:0/0 gid/egid:0/0, parent /sbin/startpar[startpar:1518] uid/euid:0/0 gid/egid:0/0
[  100.674424] grsec: (root:U:/) denied open of /dev/rtc0 for reading by /sbin/hwclock[hwclock:1592] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/hwclock.sh[hwclock.sh:1591] uid/euid:0/0 gid/egid:0/0
[  100.744627] grsec: (root:U:/) denied access of /var/log/wtmp for writing by /sbin/halt[halt:1597] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/umountnfs.sh[umountnfs.sh:1593] uid/euid:0/0 gid/egid:0/0
[  100.777639] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/rm[rm:1598] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/umountnfs.sh[umountnfs.sh:1593] uid/euid:0/0 gid/egid:0/0
[  100.829207] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /bin/echo[echo:1600] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/networking[networking:1599] uid/euid:0/0 gid/egid:0/0
[  100.866911] grsec: (root:U:/lib) denied access to hidden file /bin/dash by /lib/bridge-utils/ifupdown.sh[run-parts:1606] uid/euid:0/0 gid/egid:0/0, parent /bin/run-parts[run-parts:1605] uid/euid:0/0 gid/egid:0/0
[  100.937035] grsec: (root:U:/) use of CAP_NET_ADMIN denied for /sbin/route[route:1611] uid/euid:0/0 gid/egid:0/0, parent /bin/dash[sh:1610] uid/euid:0/0 gid/egid:0/0
[  100.969385] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/route[route:1611] uid/euid:0/0 gid/egid:0/0, parent /bin/dash[sh:1610] uid/euid:0/0 gid/egid:0/0
[  101.038748] grsec: (root:U:/) denied open of /var/lib/urandom/random-seed for writing by /bin/dd[dd:1615] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/urandom[urandom:1612] uid/euid:0/0 gid/egid:0/0
[  101.076220] grsec: more alerts, logging disabled for 10 seconds
Last edited by daedalus on Tue Feb 14, 2012 4:30 pm, edited 1 time in total.
daedalus
 
Posts: 2
Joined: Sun Feb 12, 2012 2:42 pm

Re: Shutdown role does not work on Debian Squeeze

Postby spender » Mon Feb 13, 2012 11:23 am

How did you shut the system down? Can you strace -f the command you used and mail me the log?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Shutdown role does not work on Debian Squeeze

Postby spender » Tue Feb 14, 2012 10:15 am

Your system seems to be using /run/initctl instead of the usual /dev/initctl. Here's the patch I just applied to gradm, you can just copy out the policy bits if you like:

Code: Select all
commit 58f410812b0e20db6c4d33bc0db0713746834773
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 14 09:11:14 2012 -0500

    Add /run/initctl to the shutdown role, protect /run by default in RBAC
    and automatically generate policies that protect it

diff --git a/gradm_analyze.c b/gradm_analyze.c
index ca2fe8b..8f1403b 100644
--- a/gradm_analyze.c
+++ b/gradm_analyze.c
@@ -667,6 +667,14 @@ analyze_acls(void)
                        errs_found++;
                }

+               if (!check_permission(role, def_acl, "/run", &chk)) {
+                       fprintf(stderr,
+                               "Writing access is allowed by role %s to /run, the directory which "
+                               "holds information for running services and potentially the initctl device.\n\n",
+                               role->rolename);
+                       errs_found++;
+               }
+
                if (!stat("/lib/modules", &fstat) && !check_permission(role, def_acl, "/lib/modules", &chk)) {
                        fprintf(stderr,
                                "Writing access is allowed by role %s to /lib/modules, the directory which "
diff --git a/learn_config b/learn_config
index 02432f8..aceafe3 100644
--- a/learn_config
+++ b/learn_config
@@ -116,6 +116,7 @@ dont-reduce-path /opt
 protected-path /etc
 protected-path /lib
 protected-path /boot
+protected-path /run
 protected-path /usr
 protected-path /opt
 protected-path /var
diff --git a/policy b/policy
index 861bb66..613f0ac 100644
--- a/policy
+++ b/policy
@@ -271,9 +271,11 @@ subject /sbin/init rvkao
 subject /sbin/halt rvkao
        / rwcdmlxi
        /dev/initctl rwf
+       /run/initctl rwf
 subject /sbin/shutdown rvkao
        / rwcdmlxi
        /dev/initctl rwf
+       /run/initctl rwf

 # Make sure to unauthenticate with gradm -u from
 # the admin role after restarting a service
@@ -321,6 +323,7 @@ subject /
        /proc/sys       r
        /sys            h
        /root           r
+       /run            r
        /tmp            rwcd
        /var            rwxcd
        /var/tmp        rwcd


Thanks for the report, and let me know if you continue to have any problems.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Shutdown role does not work on Debian Squeeze

Postby daedalus » Tue Feb 14, 2012 4:30 pm

Thanks for the fix, works like charm!

p.s. I was a bit tired when I originally made the post but the system in question was actually running Debian testing (Wheezy). I fixed the original topic to better reflect reality :)
daedalus
 
Posts: 2
Joined: Sun Feb 12, 2012 2:42 pm

Re: Shutdown role does not work on Debian Wheezy

Postby shepherd » Thu Feb 16, 2012 8:44 am

Brad,

I went to git clone gradm to build an updated package for Debian, but this latest commit doesn't seem to be in the cvsweb tree.

Many thanks.
shepherd
 
Posts: 5
Joined: Thu Feb 16, 2012 8:36 am

Re: Shutdown role does not work on Debian Wheezy

Postby spender » Thu Feb 16, 2012 10:06 am

It's there now, I hadn't pushed it out yet. I'll upload a new tarball tonight.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Shutdown role does not work on Debian Wheezy

Postby shepherd » Thu Feb 16, 2012 12:14 pm

spender wrote:It's there now, I hadn't pushed it out yet. I'll upload a new tarball tonight.

-Brad


Thanks Brad
shepherd
 
Posts: 5
Joined: Thu Feb 16, 2012 8:36 am


Return to RBAC policy development