youtube-dl RBAC policy

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

youtube-dl RBAC policy

Postby timbgo » Mon Sep 21, 2015 3:24 am

I have recently arrive at the levet to, thankfully, be able to successfully read from the logs what I need to set or change in my /etc/grsec/policy when some binary/something else doesn't work/doesn't work as expected.

So not too many unsolved case do I meet anymore.

But here's still one new that I do have some difficulty to solve it (and pls. see why I wouldn't want to go for the learning mode on this).

I issued (the simplified command, and its output is here):
Code: Select all
$ youtube-dl  https://vimeo.com/139877001
[vimeo] 139877001: Downloading webpage
ERROR: Unable to download webpage: <urlopen error [Errno -3] Temporary failure in name resolution> (caused by URLError(gaierror(-3, 'Temporary failure in name resolution'),))
$


And in the logs I got:
Code: Select all
Sep 21 07:18:41 g0n kernel: [254559.086209] grsec: (miro:U:/) exec of /usr/bin/python2.7 (python2.7 /usr/bin/youtube-dl https://vimeo.com/139877001 ) by /usr/bin/python2.7[youtube-dl:8487] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:8778] uid/euid:1000/1000 gid/egid:1000/1000
Sep 21 07:18:41 g0n kernel: [254559.106152] grsec: (miro:U:/) denied unlink of /usr/lib64/python2.7/site-packages/youtube_dl/__init__.pyc by /usr/bin/python2.7[python2.7:8487] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:8778] uid/euid:1000/1000 gid/egid:1000/1000
Sep 21 07:18:41 g0n kernel: [254559.193438] grsec: (miro:U:/) denied unlink of /usr/lib64/python2.7/site-packages/youtube_dl/utils.pyc by /usr/bin/python2.7[python2.7:8487] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:8778] uid/euid:1000/1000 gid/egid:1000/1000
Sep 21 07:18:41 g0n kernel: [254559.220602] grsec: (miro:U:/bin/bash) exec of /bin/bash (sh -c /sbin/ldconfig -p 2>/dev/null ) by /bin/bash[python2.7:8490] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:8487] uid/euid:1000/1000 gid/egid:1000/1000
Sep 21 07:18:41 g0n kernel: [254559.223281] grsec: (miro:U:/bin/bash) denied access to hidden file /sbin/ldconfig by /bin/bash[sh:8491] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:8490] uid/euid:1000/1000 gid/egid:1000/1000
Sep 21 07:18:41 g0n kernel: [254559.223294] grsec: (miro:U:/bin/bash) denied access to hidden file /sbin/ldconfig by /bin/bash[sh:8491] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:8490] uid/euid:1000/1000 gid/egid:1000/1000
Sep 21 07:18:41 g0n kernel: [254559.223298] grsec: more alerts, logging disabled for 10 seconds


Now I don't like using harvester browsers (and I'm sad to say that Zilla Fox is one of them; it really is, I'm talking about Schmooglezilla Schmooglefox, I guess most of the readers figured out themselves that it's not the good old Firefox we used to defend and enjoy using...)....

And I also know how easy it is to trojan most any videos, and especially Schmoogle the Schmoog can very easily do that...

I am not ready and capable to easily fend off such threats yet, so I won't go for the learning so easily on the youtube-dl program.

And so I wondered if anybody knew what I could add to my policies to make youtube-dl download my Vimeo video?

In case there is no quick solution to this, I surely will go for the learning mode :-) !

And then, surely, post the result here, for others to benefit from my experience.

My RBAC policy has surely somewhat changed from, but is still based on:

A no-poetterware desktop RBAC policy
viewtopic.php?f=5&t=4153

and there are another half a dozen topics related to various RBAC policy
issues that I posted in this section of Grsecurity Forums, since. In case,
someone (and I don't expect our busy wizards who are providing grsecurity/PaX
for us to take time on this small issue, but other users like me, possibly) is
willing and able to give his helpful advice here.

Regards!

Miroslav Rovis
http://www.CroatiaFidelis.hr
timbgo
 
Posts: 293
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: youtube-dl RBAC policy

Postby timbgo » Mon Sep 21, 2015 4:16 am

I need to give titled address of the video (with the current title):

Verification emails still have not arrived (bad provider?)
https://vimeo.com/139877001

and it's also, apart from what the title says, about me wishing the impossible: to use one of the safe, privacy-defending and not harvesting your data, browsers, like Dillo and Lynx for logging in/uploading my videos on Vimeo.

I hope that part on our Fox harversting us, in the previous post, is now clear. I really had to post this, else, the pure technical first post, is simply not clear what I talk in it about it.

Also, regarding learning and trojaning of the videos: Surely, to RBAC-learn on youtube-dl, I would need to go and download some half a dozen or dozen different videos, and while I pretty much trust (nof familiar enough, but they really seem much much more honest)...

[And while I pretty much trust] Vimeo, I don't trust Youtube, and surely I would need to download a few of the videos from there too.

I hope now that other part. in the previous post, is now clear.

Miroslav Rovis
http://www.CroatiaFidelis.hr
timbgo
 
Posts: 293
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: youtube-dl RBAC policy

Postby timbgo » Wed May 18, 2016 12:10 pm

I still have this problem, after all this time.

After the first try:

Code: Select all
May 18 15:56:39 g0n kernel: [250261.172593] grsec: (miro:U:/) exec of /usr/bin/youtube-dl (youtube-dl http://itv.sabor.hr/video/default.aspx?VideoID=19793 ) by /usr/bin/youtube-dl[bash:23022] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3722] uid/euid:1000/1000 gid/egid:1000/1000
May 18 15:56:39 g0n kernel: [250261.189924] grsec: (miro:U:/) exec of /usr/bin/python3.4m (python3.4 /usr/bin/youtube-dl http://itv.sabor.hr/video/default.aspx?VideoID=19793 ) by /usr/bin/python3.4m[youtube-dl:23022] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3722] uid/euid:1000/1000 gid/egid:1000/1000
May 18 15:56:39 g0n kernel: [250261.449455] grsec: (miro:U:/) denied create of /usr/lib64/python3.4/site-packages/youtube_dl/__pycache__/__init__.cpython-34.pyc.3989819569264 for writing by /usr/bin/python3.4m[python3.4:23022] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3722] uid/euid:1000/1000 gid/egid:1000/1000
May 18 15:56:40 g0n kernel: [250262.160463] grsec: (miro:U:/) denied create of /usr/lib64/python3.4/site-packages/youtube_dl/__pycache__/utils.cpython-34.pyc.3989738552752 for writing by /usr/bin/python3.4m[python3.4:23022] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3722] uid/euid:1000/1000 gid/egid:1000/1000
May 18 15:56:41 g0n kernel: [250262.595306] grsec: (miro:U:/) denied access to hidden file /sbin/ldconfig by /usr/bin/python3.4m[python3.4:23023] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python3.4m[python3.4:23022] uid/euid:1000/1000 gid/egid:1000/1000


I set these to learning:

Code: Select all
# Role: miro
subject /usr/bin/python3.4m ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}

# Role: miro
subject /usr/bin/youtube-dl ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}

# Role: miro
subject /usr/lib64/python3.4/site-packages/youtube_dl ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}


Not many other changes, although my policy has changed a lot (I tweak it weekly on average) from:

A no-poetterware desktop RBAC policy
viewtopic.php?f=5&t=4153

And now I get:

Code: Select all
May 18 17:25:57 g0n kernel: [255619.168273] grsec: (miro:U:/usr/bin/youtube-dl) exec of /usr/bin/youtube-dl (youtube-dl https://www.youtube.com/watch?v=Q7tDX2_1Lls ) by /usr/bin/youtube-dl[bash:26657] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3722] uid/euid:1000/1000 gid/egid:1000/1000
May 18 17:25:57 g0n kernel: [255619.172732] grsec: (miro:U:/usr/bin/python3.4m) exec of /usr/bin/python3.4m (python3.4 /usr/bin/youtube-dl https://www.youtube.com/watch?v=Q7tDX2_1Lls ) by /usr/bin/python3.4m[youtube-dl:26657] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3722] uid/euid:1000/1000 gid/egid:1000/1000
May 18 17:25:57 g0n kernel: [255619.439107] grsec: (miro:U:/) exec of /sbin/ldconfig (/sbin/ldconfig -p ) by /sbin/ldconfig[python3.4:26660] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python3.4m[python3.4:26657] uid/euid:1000/1000 gid/egid:1000/1000
May 18 17:25:57 g0n kernel: [255619.440297] grsec: (miro:U:/) denied executable mmap of /sbin/ldconfig by /sbin/ldconfig[ldconfig:26660] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python3.4m[python3.4:26657] uid/euid:1000/1000 gid/egid:1000/1000
May 18 17:25:57 g0n kernel: [255619.440311] grsec: (miro:U:/) Segmentation fault occurred at            (nil) in /sbin/ldconfig[ldconfig:26660] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python3.4m[python3.4:26657] uid/euid:1000/1000 gid/egid:1000/1000
May 18 17:25:57 g0n kernel: [255619.440331] grsec: (miro:U:/usr/bin/python3.4m) bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for /usr/bin/python3.4m[ldconfig:26660] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python3.4m[python3.4:26657] uid/euid:1000/1000 gid/egid:1000/1000


I bet, I haven't tried yet, but I bet when I try it next, I'll be able to download most any videos from youtube-dl supported sites, if I simply (how simple ain't it? but ya know, some protection is gone then...)... [if I simply] disable RBAC.

Let's see.


Yes, sure enough, it all is now going smoothly.

Code: Select all
$ youtube-dl https://www.youtube.com/watch?v=Q7tDX2_1Lls
[youtube] Q7tDX2_1Lls: Downloading webpage
[youtube] Q7tDX2_1Lls: Downloading video info webpage
[youtube] Q7tDX2_1Lls: Extracting video information
[youtube] Q7tDX2_1Lls: Downloading MPD manifest
[download] Destination: 18 05 2016 - 1. dio, 3. sjednica, 8. saziv-Q7tDX2_1Lls.f136.mp4
[download]   0.2% of 2.38GiB at 501.05KiB/s ETA 01:22:45

(it's slow, because fiber is late arriving in some quarters here...)

Just... I want to do this without allowing these holes... Why would a user's program need to execute anyhing in /sbin?

Still, to see if that would help, I added a line in:

Code: Select all
# Role: miro
subject /bin/bash o {
   /            
   ...
   /bin            x
   /boot            h
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/null         rw
   ...
   /sbin            h
   /sbin/conntrack      x      
   /sbin/ldconfig      x
   /sbin/macchanger      
   /sbin/openrc         
   /sbin/xtables-multi      
   ...
   -CAP_ALL
   bind   disabled
   connect   disabled
   sock_allow_family all
}

It can probably be figured out that the line added in the subject above is:
Code: Select all
   /sbin/ldconfig      x

but that didn't help. I was still getting the denied executable mmap and bruteforce lines like I pasted above.

I tried adding that after searching and reading:

[solved] denied executable mmap of / (root dir?)
viewtopic.php?f=5&t=4059#p14509

and:

denied executable mmap
viewtopic.php?f=5&t=2109#p8758

I've too little time for research here, which I wish I could do since the issues grsecurity deals with, and how it solves them, are fascinating to me...

And so I can still only post the issue here and hope somebody more knowledgeable grsecurity user would tell us how to solve this issue so that youtube-dl behaves nicely under RBAC.

Regards!

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 293
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: youtube-dl RBAC policy

Postby timbgo » Wed May 18, 2016 12:24 pm

Before I go (but I'll keep an eye on this to see if there are any replies),
this is how it went. First the disabling of the RBAC:
Code: Select all
May 18 17:40:46 g0n kernel: [256507.805051] grsec: (admin:S:/) exec of /sbin/gradm (gradm -D ) by /sbin/gradm[bash:26820] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3209] uid/euid:0/0 gid/egid:0/0

And then this is what the program in question does:
Code: Select all
May 18 17:41:48 g0n kernel: [256569.799168] grsec: exec of /usr/bin/youtube-dl (youtube-dl https://www.youtube.com/watch?v=Q7tDX2_1Lls ) by /usr/bin/youtube-dl[bash:26918] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3722] uid/euid:1000/1000 gid/egid:1000/1000
May 18 17:41:48 g0n kernel: [256569.801407] grsec: exec of /usr/bin/python3.4m (python3.4 /usr/bin/youtube-dl https://www.youtube.com/watch?v=Q7tDX2_1Lls ) by /usr/bin/python3.4m[youtube-dl:26918] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3722] uid/euid:1000/1000 gid/egid:1000/1000
May 18 17:41:48 g0n kernel: [256570.032587] grsec: exec of /sbin/ldconfig (/sbin/ldconfig -p ) by /sbin/ldconfig[python3.4:26919] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python3.4m[python3.4:26918] uid/euid:1000/1000 gid/egid:1000/1000
May 18 17:41:50 g0n kernel: [256571.922339] grsec: exec of /usr/bin/ffmpeg (ffmpeg -version ) by /usr/bin/ffmpeg[youtube-dl:26922] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python3.4m[youtube-dl:26918] uid/euid:1000/1000 gid/egid:1000/1000
May 18 17:41:50 g0n kernel: [256571.984450] grsec: exec of /usr/bin/ffprobe (ffprobe -version ) by /usr/bin/ffprobe[youtube-dl:26923] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python3.4m[youtube-dl:26918] uid/euid:1000/1000 gid/egid:1000/1000
May 18 17:41:50 g0n kernel: [256572.067427] grsec: exec of /usr/bin/ffmpeg (ffmpeg -version ) by /usr/bin/ffmpeg[youtube-dl:26926] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python3.4m[youtube-dl:26918] uid/euid:1000/1000 gid/egid:1000/1000
May 18 17:41:50 g0n kernel: [256572.113480] grsec: exec of /usr/bin/ffprobe (ffprobe -version ) by /usr/bin/ffprobe[youtube-dl:26927] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python3.4m[youtube-dl:26918] uid/euid:1000/1000 gid/egid:1000/1000

After that, there was (and still is, aDSL here still) just the downloading being shown in the terminal, like in the previous post.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 293
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: youtube-dl RBAC policy

Postby timbgo » Wed May 18, 2016 1:35 pm

I'm still thinking about this. This should be solveable easily.

And also:
Code: Select all
May 18 17:41:48 g0n kernel: [256570.032587] grsec: exec of /sbin/ldconfig
(/sbin/ldconfig -p ) by /sbin/ldconfig[python3.4:26919] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/python3.4m[python3.4:26918]
uid/euid:1000/1000 gid/egid:1000/1000

which youtube-dl program does is just:
Code: Select all
       -p, --print-cache
         Print  the  lists    of  directories and candidate libraries stored in the
         current cache.

, which is something innocuous enough it appears to me.

However, after more analysis I saw that in Sep 21, 2015 (the first post):
Code: Select all
Sep 21 07:18:41 g0n kernel: [254559.220602] grsec: (miro:U:/bin/bash) exec of
/bin/bash (sh -c /sbin/ldconfig -p 2>/dev/null ) by /bin/bash[python2.7:8490]
uid/euid:1000/1000 gid/egid:1000/1000, parent
/usr/bin/python2.7[python2.7:8487] uid/euid:1000/1000 gid/egid:1000/1000
...

I see that /sbin/ldconfig is called by bash envoked by python, and also by
only:
Code: Select all
Sep 21 07:18:41 g0n kernel: [254559.223281] grsec: (miro:U:/bin/bash) denied
access to hidden file /sbin/ldconfig by /bin/bash[sh:8491] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[sh:8490] uid/euid:1000/1000
gid/egid:1000/1000

[by only] bash.


While in May 18, 2016 (today), /sbin/ldconfig is called by:
Code: Select all
May 18 17:25:57 g0n kernel: [255619.439107] grsec: (miro:U:/) exec of
/sbin/ldconfig (/sbin/ldconfig -p ) by /sbin/ldconfig[python3.4:26660]
uid/euid:1000/1000 gid/egid:1000/1000, parent
/usr/bin/python3.4m[python3.4:26657] uid/euid:1000/1000 gid/egid:1000/1000

[[ that was under RBAC enabled, and with the mmap, and Segmentation fault, and
bruteforce lines... ]]

and, without RBAC:
Code: Select all
Sep 21 07:18:41 g0n kernel: [254559.220602] grsec: (miro:U:/bin/bash) exec of
/bin/bash (sh -c /sbin/ldconfig -p 2>/dev/null ) by /bin/bash[python2.7:8490]
uid/euid:1000/1000 gid/egid:1000/1000, parent
/usr/bin/python2.7[python2.7:8487] uid/euid:1000/1000 gid/egid:1000/1000


I'm sill perplexed, because while it's probably useless the line for subject
bash since ldconfig is not called by bash as previously, where do I stick
that line:
Code: Select all
      /sbin/ldconfig      x

to get subject /usr/bin/python3.4m in role miro to get the permission to execute /sbin/ldconfig

I'm perplexed, because that subject python3.4m is set to learning, isn't it?

It should get it by itself that it need execution of /sbin/ldconfig ?

Or is it something else the matter.

And, for people looking for a workaround (this topic seems to be viewed a
lot) till this is solved, what I do is, disable RBAC, start downloading the
video, and after the downloading has started, reenable the RBAC.

Regards!

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 293
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: youtube-dl RBAC policy

Postby timbgo » Wed May 18, 2016 1:53 pm

Just a minor digression, but kind of not so unrelated. It's about what grsecurity does: protect your system...

And video, from sites that live on harvesting of your data (giving the space and the serving of them for free) are always a potential vehicle for intrusions.

In this case, it's about how my Firefox malfunctions a little bit, after disabling RBAC, starting the youtube-dl, and reenabling RBAC. I actually had a little slow time posting the post previous to this.


This is how it is more than half hour later, and would probably continue into hours ahead (but I'll just close and restart it, and all is likely to be well again).

Code: Select all
top - 19:42:51 up 3 days,  1:17,  7 users,  load average: 2.84, 3.10, 3.12
Tasks:  32 total,   3 running,  28 sleeping,   1 stopped,   0 zombie
%Cpu(s): 63.0 us,  1.7 sy,  0.0 ni, 35.3 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem : 16402224 total,   111272 free, 14590064 used,  1700888 buff/cache
KiB Swap:  8999996 total,  8982152 free,    17844 used.  1636728 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND   
22911 miro      20   0 14.102g 0.013t  46700 R 222.9 84.9 221:06.45 firefox   
28186 miro      20   0  330392  75048  23212 R  31.9  0.5  13:15.68 mencoder   


This is a 4-core processor, and Firefox is now using, without doing anything,
just a few tabs are open, two and a half cores, which is 60% of this system
processing power...

Aarrgggh...

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 293
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: youtube-dl RBAC policy

Postby timbgo » Thu Jul 21, 2016 11:58 am

There's more about youtube-dl and gradm policy:

Duplicate subject found for "<some python program>"
viewtopic.php?f=3&t=4517

Still haven't solved how to do the learning on some python programs...
Last edited by timbgo on Thu Jul 21, 2016 12:02 pm, edited 1 time in total.
timbgo
 
Posts: 293
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: youtube-dl RBAC policy

Postby timbgo » Fri Dec 16, 2016 6:51 pm

timbgo wrote:There's more about youtube-dl and gradm policy:

Duplicate subject found for "<some python program>"
viewtopic.php?f=3&t=4517

Still haven't solved how to do the learning on some python programs...

I've finally solved, and have a working youtube-dl under RBAC, both the above (which is simple, stupidly simple, see below), and this topic's youtube-dl RBAC policy.

I'm tired falling off my feet, but I'll post it now, or else who knows when.

The learning went:
Code: Select all
# Role: miro
subject /usr/lib64/python-exec/python3.4/youtube-dl ol
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

and the policy that works for me:
Code: Select all
# Role: miro
subject /usr/lib64/python-exec/python3.4/youtube-dl o
   /            h
   /Cmn            rwcd
   /bin            h
   /bin/bash         x
   /dev            h
   /dev/null         rw
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
#   /etc/ld.so.cache      r
#   /etc/localtime         r
#   /etc/mime.types         r
   /etc/passwd         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /sbin            h
   /sbin/ldconfig         x
   /tmp            rwcd
   /usr            
   /usr/bin         x
#   /usr/bin/python3.4m      x
   /usr/lib64         rx
   /usr/share         h
   /usr/share/ca-certificates/mozilla   r
   /usr/src         h
   -CAP_ALL
   bind 0.0.0.0/32:0 dgram ip
   connect 0.0.0.0/0:443 stream dgram tcp udp
   connect 0.0.0.0/0:53 stream dgram tcp udp
   connect 0.0.0.0/0:80 stream dgram tcp udp
#   connect 127.0.0.1/32:80 stream tcp
#   connect 192.168.5.0/24:80 stream tcp
   sock_allow_family ipv6 netlink

Commented out are lines that might be needed in some circumstances (I got them by learning in the offline master machine this online machine I clone from).

And I'll post also what only after I removed it, got all things working:
Code: Select all
# Role: miro
subject /usr/bin/youtube-dl o {
   /            h
   /etc            h
   /etc/ld.so.cache      r
   /etc/python-exec/python-exec.conf   r
   /lib64            h
   /lib64/ld-2.23.so      x
   /lib64/libc-2.23.so      rx
   /usr            h
   /usr/bin/python-exec2c      x
   /usr/bin/youtube-dl      
   /usr/lib64/python-exec/python-exec2   
   /usr/lib64/python-exec/python3.4/youtube-dl   x
   -CAP_ALL
   bind   disabled
   connect   disabled
}

This is what the learning got me. With or without the { and } is the same, just both must be either there or missing.

And then I was getting this issue:
Code: Select all
Dec 16 22:29:23 g0n kernel: [602478.251935] grsec: (miro:U:/usr/bin/youtube-dl) exec of /usr/lib64/python-exec/python-exec2 (getmail --fingerprint -r config/mirorovis@croatiafidelishr ) by /usr/lib64/python-exec/python-exec2[bash:22244] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:20667] uid/euid:1000/1000 gid/egid:1000/1000
Dec 16 22:29:23 g0n kernel: [602478.252927] grsec: (miro:U:/usr/bin/youtube-dl) denied access to hidden file /usr/bin/getmail by /usr/lib64/python-exec/python-exec2[getmail:22244] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:20667] uid/euid:1000/1000 gid/egid:1000/1000
Dec 16 22:29:23 g0n kernel: [602478.253443] grsec: (miro:U:/) exec of /bin/date (date +%y%m%d_%H%M%S ) by /bin/date[bash:22246] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:22245] uid/euid:1000/1000 gid/egid:1000/1000
Dec 16 22:29:23 g0n kernel: [602478.255855] grsec: (miro:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[bash:22247] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:22245] uid/euid:1000/1000 gid/egid:1000/1000
Dec 16 22:29:23 g0n kernel: [602478.258870] grsec: (miro:U:/usr/bin/tee) exec of /usr/bin/tee (tee .getmail/log/getmail_161216_222923_g0n.log ) by /usr/bin/tee[bash:22245] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:20667] uid/euid:1000/1000 gid/egid:1000/1000
Dec 16 22:29:23 g0n kernel: [602478.261765] grsec: (miro:U:/usr/bin/youtube-dl) exec of /usr/lib64/python-exec/python-exec2 (getmail -r config/miroslavrovis1@zghthr ) by /usr/lib64/python-exec/python-exec2[bash:22248] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:20667] uid/euid:1000/1000 gid/egid:1000/1000
Dec 16 22:29:23 g0n kernel: [602478.261781] grsec: (miro:U:/) exec of /bin/date (date +%y%m%d_%H%M%S ) by /bin/date[bash:22250] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:22249] uid/euid:1000/1000 gid/egid:1000/1000
Dec 16 22:29:23 g0n kernel: [602478.262729] grsec: (miro:U:/usr/bin/youtube-dl) denied access to hidden file /usr/bin/getmail by /usr/lib64/python-exec/python-exec2[getmail:22248] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:20667] uid/euid:1000/1000 gid/egid:1000/1000
Dec 16 22:29:23 g0n kernel: [602478.263939] grsec: (miro:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[bash:22251] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:22249] uid/euid:1000/1000 gid/egid:1000/1000
Dec 16 22:29:23 g0n kernel: [602478.265248] grsec: (miro:U:/usr/bin/tee) exec of /usr/bin/tee (tee .getmail/log/getmail_161216_222923_g0n.log ) by /usr/bin/tee[bash:22249] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:20667] uid/euid:1000/1000 gid/egid:1000/1000

Because my Getmail command (and in this case the failure) looks like this:
Code: Select all
$ getmail --fingerprint -r config/mirorovis\@croatiafidelishr 2>&1 | tee .getmail/log/getmail_`date +%y%m%d_%H%M%S`_`hostname`.log ; getmail -r config/miroslavrovis1\@zghthr 2>&1 | tee .getmail/log/getmail_`date +%y%m%d_%H%M%S`_`hostname`.log
/usr/bin/getmail: unable to resolve symlink /usr/bin/getmail: No such file or directory.
/usr/bin/getmail: unable to resolve symlink /usr/bin/getmail: No such file or directory.
$

And the solution was to comment out this one:
Code: Select all
## Role: miro
#subject /usr/bin/youtube-dl o
#   /            h
#   /etc            h
#   /etc/ld.so.cache      r
#   /etc/python-exec/python-exec.conf   r
#   /lib64            h
#   /lib64/ld-2.23.so      x
#   /lib64/libc-2.23.so      rx
#   /usr            h
#   /usr/bin/python-exec2c      x
#   /usr/bin/youtube-dl      
#   /usr/lib64/python-exec/python-exec2   
#   /usr/lib64/python-exec/python3.4/youtube-dl   x
#   -CAP_ALL
#   bind   disabled
#   connect   disabled

And everything worked!

Because both getmail and youtube-dl are actually symbolic links:
Code: Select all
# ls -l /usr/bin/getmail
lrwxrwxrwx 1 root root 31 2016-10-31 06:05 /usr/bin/getmail -> ../lib/python-exec/python-exec2
#

Code: Select all
# ls -l /usr/bin/youtube-dl
lrwxrwxrwx 1 root root 31 2016-12-09 01:54 /usr/bin/youtube-dl -> ../lib/python-exec/python-exec2
#


I hope this helps other users who might have trouble with setting youtube-dl RBAC policy!

Regards,
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 293
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia


Return to RBAC policy development