Gradm policy errors/ warnings

Submit your RBAC policies or suggest policy improvements

Gradm policy errors/ warnings

Postby GBit » Sat Sep 07, 2013 2:42 pm

e allowed to be enabled.

gradm -E
Write access is allowed by role root to /sys, the directory which holds entries that allow modifying kernel variables.

Warning: object does not exist in role colin, subject /usr/share/software-center/update-software-center-agent for the target of the symlink object /proc/mounts specified on line 6394 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/share/software-center/software-center-dbus for the target of the symlink object /proc/mounts specified on line 6316 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/share/oneconf/oneconf-service for the target of the symlink object /proc/mounts specified on line 6165 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/share/apport/apport-gtk for the target of the symlink object /proc/mounts specified on line 6084 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/lib/x86_64-linux-gnu/unity-lens-video/unity-video-lens-daemon for the target of the symlink object /etc/alternatives/updatedb specified on line 5990 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/lib/x86_64-linux-gnu/unity-lens-video/unity-video-lens-daemon for the target of the symlink object /etc/alternatives/locate specified on line 5989 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/lib/unity-lens-photos/unity-lens-photos for the target of the symlink object /proc/mounts specified on line 5376 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/lib/gvfs/gvfs-udisks2-volume-monitor for the target of the symlink object /sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda/sda2/subsystem specified on line 4883 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/lib/gvfs/gvfs-udisks2-volume-monitor for the target of the symlink object /sys/dev/block/8:2 specified on line 4882 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/lib/gvfs/gvfs-udisks2-volume-monitor for the target of the symlink object /proc/mounts specified on line 4874 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/bin/nautilus for the target of the symlink object /sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda/sda2/subsystem specified on line 4014 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/bin/nautilus for the target of the symlink object /sys/dev/block/8:2 specified on line 4013 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/bin/indicator-cpufreq for the target of the symlink object /proc/mounts specified on line 3900 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /usr/sbin/alsactl for the target of the symlink object /root/.config/pulse/2a7c9e4458ccbfd5a964c1c0520b0164-runtime specified on line 2700 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /usr/sbin/aa-logprof for the target of the symlink object /proc/mounts specified on line 2642 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /usr/bin/indicator-cpufreq-selector for the target of the symlink object /proc/mounts specified on line 1906 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /usr/bin/gedit for the target of the symlink object /proc/mounts specified on line 1842 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /sbin/udevadm for the target of the symlink object /sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda/subsystem specified on line 1594 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /sbin/udevadm for the target of the symlink object /sys/dev/block/8:0 specified on line 1593 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /sbin/plymouthd for the target of the symlink object /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/driver specified on line 1444 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /sbin/apparmor_parser for the target of the symlink object /proc/mounts specified on line 1137 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /etc/resolvconf/update.d/libc for the target of the symlink object /etc/resolv.conf specified on line 1007 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /etc/init.d for the target of the symlink object /var/lock specified on line 943 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /etc/init.d for the target of the symlink object /lib64/ld-linux-x86-64.so.2 specified on line 899 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /etc/init.d for the target of the symlink object /dev/shm specified on line 874 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /bin/dash for the target of the symlink object /proc/mounts specified on line 363 of /etc/grsec/policy.
Warning: object does not exist in role colord, subject /usr/lib/colord/colord for the target of the symlink object /proc/mounts specified on line 86 of /etc/grsec/policy.
There were 1 holes found in your RBAC configuration. These must be fixed before the RBAC system will be allowed to be enabled.


http://pastebin.com/JmvqVDnH

Running 3.10 kernel, Ubuntu desktop. I don't want to break anything or screw it up and have to restart, so if there's any quick advice let me know.
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: Gradm policy errors/ warnings

Postby spender » Sat Sep 07, 2013 8:26 pm

What gradm are you using? Your /etc/grsec/learn_config must be out of date as full learning would never generate a policy that allows a default subject in a role to write to /sys.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Gradm policy errors/ warnings

Postby GBit » Sat Sep 07, 2013 9:13 pm

2.9.1. I should have assumed that would be out of date, I'll download the latest version and try again.
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: Gradm policy errors/ warnings

Postby spender » Sat Sep 07, 2013 9:32 pm

gradm's been at 2.9.1 for a while, I needed the date of the tarball as well. The learn_config shipped in newer versions won't clobber your installed version, so you have to replace yours or merge the changes manually.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Gradm policy errors/ warnings

Postby GBit » Sat Sep 07, 2013 9:44 pm

Oh, not sure when it was from. If I delete the learn_config and then make/make install the latest version will that suffice?
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: Gradm policy errors/ warnings

Postby spender » Sat Sep 07, 2013 9:57 pm

Yeah, that'll work. You'll need to re-run the gradm -F -L learn.log -O /etc/grsec/policy command though to generate the new policy based on the updated learn_config.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Gradm policy errors/ warnings

Postby GBit » Sat Sep 07, 2013 11:01 pm

OK, so I deleted the files in /etc/grsec *except* for the pw file.

And then I rebooted with the full learning command in my rc.local

yada yada, opened my programs, all that stuff. Used gradm -a admin before using sudo su to elevate and make sure I can compile the kernel as admin.

All that's done.

Gradm -D

do the learning thing where it generates the profile.

gradm -E

gradm -E
Write access is allowed by role root to /sys, the directory which holds entries that allow modifying kernel variables.

Warning: object does not exist in role colin, subject /usr/share/apport/apport-gtk for the target of the symlink object /proc/mounts specified on line 4440 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/lib/unity-lens-photos/unity-lens-photos for the target of the symlink object /proc/mounts specified on line 3820 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/lib/gvfs/gvfs-udisks2-volume-monitor for the target of the symlink object /proc/mounts specified on line 3443 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/lib/gnome-settings-daemon/gnome-settings-daemon for the target of the symlink object /proc/mounts specified on line 3318 of /etc/grsec/policy.
Warning: object does not exist in role colin, subject /usr/bin/nautilus for the target of the symlink object /proc/mounts specified on line 2704 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /usr/bin/indicator-cpufreq-selector for the target of the symlink object /proc/mounts specified on line 1120 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /sbin/udevadm for the target of the symlink object /sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda/subsystem specified on line 974 of /etc/grsec/policy.
Warning: object does not exist in role root, subject /sbin/udevadm for the target of the symlink object /sys/dev/block/8:0 specified on line 973 of /etc/grsec/policy.
Warning: object does not exist in role colord, subject /usr/lib/colord/colord for the target of the symlink object /proc/mounts specified on line 83 of /etc/grsec/policy.
There were 1 holes found in your RBAC configuration. These must be fixed before the RBAC system will be allowed to be enabled.
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: Gradm policy errors/ warnings

Postby spender » Sun Sep 08, 2013 3:30 am

Do you have an /etc/grsec/learn_config still?
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Gradm policy errors/ warnings

Postby GBit » Sun Sep 08, 2013 1:25 pm

These are the files in /etc/grsec

learn_config learning.logs policy pw
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: Gradm policy errors/ warnings

Postby spender » Sun Sep 08, 2013 2:13 pm

Also, add "protected-path /sys" to your /etc/grsec/learn_config -- I had forgotten to add this when I added rejecting of policies that allow writing to /sys in default subjects. It'll be fixed in the next gradm.
Rerun the policy generation command.
Then, for the /proc/mounts warnings, add a /proc/*/mounts r rule to each warning subject.
For the /sys warnings, see if the symlinks point to a valid file. If they do, run stat on them repeatedly and see if the inode number changes (suggesting it's dynamically generated). If it does change, then cut down the path a bit until it's a directory that isn't auto-generated.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Gradm policy errors/ warnings

Postby GBit » Sun Sep 08, 2013 2:15 pm

Great, thank you.
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: Gradm policy errors/ warnings

Postby GBit » Sun Sep 08, 2013 2:52 pm

Regex is supported, right?

So I can simplify these rules, just as an example from:


/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor rw
/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq r
/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq r
/sys/devices/system/cpu/cpu0/cpufreq/scaling_setspeed w

to

/sys/devices/system/cpu/cpu0*/cpufreq/* rw

Yes?

edit: I tried it, it worked. All warnings removed, now I'm just fixing all the broken programs. Thanks.
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: Gradm policy errors/ warnings

Postby GBit » Mon Sep 09, 2013 1:12 am

Where do Gradm violations go? I'm having a lot of issues getting programs working with it.
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm


Return to RBAC policy development