Process mysteriously enters default role

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Process mysteriously enters default role

Postby countermode » Wed Feb 11, 2015 8:04 am

I have created a (seemingly) working policy for an apache web server (see below). In this policy the default role is not used. At first, everything worked fine. But after a while I find the following log messages
Code: Select all
Feb 11 12:51:19 andustar kernel: grsec: From 127.0.0.6: (default:D:/) denied access to hidden file /var by /usr/sbin/apache2[apache2:4761] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:16060] uid/euid:0/0 gid/egid:0/0
Feb 11 12:51:19 andustar kernel: grsec: From 127.0.0.6: (default:D:/) denied access to hidden file /var/www/andustar/favicon.ico by /usr/sbin/apache2[apache2:4761] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:16060] uid/euid:0/0 gid/egid:0/0
Feb 11 12:51:19 andustar kernel: grsec: From 127.0.0.6: (default:D:/) denied access to hidden file /var by /usr/sbin/apache2[apache2:4761] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:16060] uid/euid:0/0 gid/egid:0/0
Feb 11 12:51:19 andustar kernel: grsec: From 127.0.0.6: (default:D:/) denied access to hidden file /var/www/andustar/favicon.ico by /usr/sbin/apache2[apache2:4761] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:16060] uid/euid:0/0 gid/egid:0/0
Feb 11 12:51:19 andustar kernel: grsec: From 127.0.0.6: (default:D:/) denied access to hidden file /var by /usr/sbin/apache2[apache2:4761] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:16060] uid/euid:0/0 gid/egid:0/0

So /usr/sbin/apache2 entered the default role - but why?! The policy (the result of the learner with some tuning) is
Code: Select all
# role root
subject /usr/sbin/apache2 o {
user_transition_allow apache
group_transition_allow apache

        /                               h
        /dev                            h
        /dev/urandom                    r
        /etc                            r
        /etc/grsec                      h
        /etc/gshadow                    h
        /etc/gshadow-                   h
        /etc/shadow                     h
        /etc/shadow-                    h
        /etc/ssh                        h
        /proc                           h
        /proc/sys/kernel/ngroups_max    r
        /run                           
        /run/apache2.pid                w
        /usr                            h
        /usr/lib/apache2               
        /usr/lib/apache2/modules        rx
        /usr/lib/libcrypto.so.1.0.0     rx
        /usr/lib/libssl.so.1.0.0        rx
        /var                            h
        /var/log/apache2                a
        /var/www
        -CAP_ALL
        +CAP_DAC_OVERRIDE
        +CAP_DAC_READ_SEARCH
        +CAP_KILL
        +CAP_SETGID
        +CAP_SETUID
        bind 0.0.0.0/32:0 dgram ip
        connect 127.0.0.1/32:0 dgram udp
        sock_allow_family ipv6 netlink
}

...

role apache u
role_allow_ip   0.0.0.0/32
subject /  {
        /                               h
        /etc/localtime                  r
        /var                           
        /var/log                        h
        /var/www                        r
        -CAP_ALL
        bind    disabled
        connect disabled
}

What went wrong?
countermode
 
Posts: 27
Joined: Mon Sep 16, 2013 6:59 pm

Re: Process mysteriously enters default role

Postby spender » Wed Feb 18, 2015 8:15 am

Hi,

As you can see from the logs, the process has a tagged IP of 127.0.0.6 (from ipv6), but your policy only allows processes without a tagged IP (0.0.0.0/32) to enter the apache role.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron