grsecurity forums

Posted: **Thu Oct 09, 2014 5:46 pm**

Hello, I have a similar issue like this one http://forums.grsecurity.net/viewtopic.php?f=5&t=4056#p14499.

I want to start RBAC at boot time. Thus I started learning at boot time. I noticed that the default learn_config says

Code: Select all: inherit-learn /etc/init.d

which will assign all permissions for every system service ever started from /etc/init.d to /etc/init.d. Bad idea. So I disabled this directive which got me almost what I wanted. In order to refine the rule set I tried to enable partial learning at boot time (/sbin/gradm -E -L ...). RBAC is started after the general system setup (mounting disks, starting udev etc.) but before any services (cron, syslog, sshd etc). However...

Code: Select all: # gradm -D <correct password> Invalid password. # gradm -a admin <correct password> Invalid password # gradm -S The /dev/grsec device is not properly installed on your system or you are not using a grsecurity kernel.

Brad, what's going on here?

Posted: **Thu Oct 09, 2014 6:13 pm**

Did you perform it as root, and did the root role have the "G" flag?

Did you also ensure that there was no subject created for bash (there shouldn't be if you didn't perform administrative actions as root)?

-Brad

Posted: **Thu Oct 09, 2014 7:41 pm**

Did you perform it as root

yes

, and did the root role have the "G" flag?

yes:

Code: Select all: role root uG role_transitions admin shutdown subject / { ...

and /dev/grsec is hidden

Did you also ensure that there was no subject created for bash (there shouldn't be if you didn't perform administrative actions as root)?

There's no subject for bash, just for /, some services, and some commands that were called from a script.

Posted: **Thu Oct 09, 2014 7:50 pm**

Do you have any of the kernel logs showing the attempts to use gradm?

-Brad

Posted: **Sun Oct 12, 2014 7:41 pm**

Hallo Brad, sorry for answering so late.

Do you have any of the kernel logs showing the attempts to use gradm?

There are none.

When I try to call gradm -E, then gradm complains

Code: Select all: Warning: You have enabled some form of learning on the subject for /lib/systemd/systemd-udevd in role root. You have not used -L on the command line however.

When I instead try something like gradm -E -L l.log, then I get

Code: Select all: Error opening /dev/grsec: Device or resource busy

grsecurity forums

Problem with RBAC learning starting at boot time

Problem with RBAC learning starting at boot time

Re: Problem with RBAC learning starting at boot time

Re: Problem with RBAC learning starting at boot time

Re: Problem with RBAC learning starting at boot time

Re: Problem with RBAC learning starting at boot time