Problem with grsecurity-2.0rc1/gradm2

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Postby RaYmAn » Tue Jul 15, 2003 2:23 am

Logs have been sent.
However, it doesn't seem to work with the gdb thing..
After recompiling with -ggdb and re-installing the binaries gdb errors when I type run after a gdb /sbin/gradm, then set args :
    Starting program: /sbin/gradm -F -L llog2 -O lacl2
    warning: Cannot insert breakpoint -1:
    Cannot access memory at address 0x80480e0
Any ideas?
Update: It helped when I disabled all pax flags with chpax.
-Jens Andersen

Here is the output:

    #0 0x8054d9f in display_ip_node (node=0xbfffe26c, unused=0x0,
    contype=2 '\002', stream=0x80ccba8) at gradm_newlearn.c:1162
    #1 0x8054ae5 in traverse_ip_tree (base=0x82a05a0, optarg=0x0,
    act=0x8054b70 <display_ip_node>, contype=108 'l', stream=0x80ccba8)
    at gradm_newlearn.c:1057
    #2 0x8054f40 in display_ip_tree (base=0x82a05a0, contype=2 '\002',
    stream=0x80ccba8) at gradm_newlearn.c:1223
    #3 0x8054a2d in display_leaf (node=0x8326ef8, unused1=0x0, stream=0x80ccba8)
    at gradm_newlearn.c:1031
    #4 0x8053b2d in traverse_file_tree (base=0x8326ef8,
    act=0x8054840 <display_leaf>, optarg=0x0, stream=0x80ccba8)
    at gradm_newlearn.c:362
    #5 0x8053b4d in traverse_file_tree (base=0x8326f80,
    act=0x8054840 <display_leaf>, optarg=0x0, stream=0x80ccba8)
    at gradm_newlearn.c:370
    #6 0x805483c in display_tree (base=0x8326d68, stream=0x80ccba8)
    at gradm_newlearn.c:971
    #7 0x805367a in display_role (group=0x80d5560, user=0x0, stream=0x80ccba8)
    at gradm_newlearn.c:198
    #8 0x80535bd in traverse_roles (grouplist=0x815e398,
    act=0x80535fc <display_role>, stream=0x80ccba8) at gradm_newlearn.c:166
    #9 0x8053720 in display_roles (grouplist=0x815e398, stream=0x80ccba8)
    at gradm_newlearn.c:214
    #10 0x8055f2d in generate_full_learned_acls (
    learn_log=0x80ccb78 "/etc/grsec/llog2", stream=0x80ccba8)
    at gradm_fulllearn.c:229
    #11 0x804e91e in parse_args (argc=6, argv=0xbffff774) at gradm_arg.c:277
    #12 0x8049e32 in main (argc=6, argv=0xbffff774) at ./gradm.l:325
    #13 0x8059ee5 in __libc_start_main (main=0x8049ddc <main>, argc=6,
    ubp_av=0xbffff774, init=0x80480b4 <_init>, fini=0x80a8380 <_fini>,
    rtld_fini=0, stack_end=0xbffff76c) at ../sysdeps/generic/libc-start.c:129


Update2:
I figured it might be the contents of some of the structures passed to the functions so here is output of print *node and print *stream:
http://rayman.skumler.net/gdbgradminfo.txt
RaYmAn
 
Posts: 9
Joined: Thu Jul 10, 2003 8:08 am
Location: Denmark

Re: Problem with grsecurity-2.0rc1/gradm2

Postby Newbie » Sun May 09, 2004 4:17 am

RaYmAn wrote:Hi
I just upgraded to grsecurity-2.0rc1 today and gradm2...
I'm attempting to use the Full learning mode, but I can't seem to get it working...
when I run /sbin/gradm -F -L /etc/grsec/llog I get the following error:
    gradm -F -L /etc/grsec/llog
    Error opening /dev/grsec:
    No such file or directory
    Your request was ignored, please check the kernel logs for more info.
    Invalid password.
in my /var/log/warnings it creates the following entries:
    Jul 10 18:18:56 rayman kernel: grsec: From *: use of CAP_IPC_LOCK denied for (grlearn:15770) uid/euid:0/0 gid/egid:0/0, parent (gradm:31036) uid/euid:0/0 gid/egid:0/0
    Jul 10 18:18:56 rayman kernel: grsec: From *: use of CAP_SYS_NICE denied for (grlearn:15770) uid/euid:0/0 gid/egid:0/0, parent (gradm:31036) uid/euid:0/0 gid/egid:0/0
    Jul 10 18:18:56 rayman last message repeated 2 times
    Jul 10 18:18:56 rayman kernel: grsec: From *: denied access to hidden file /dev/grsec by (grlearn:15770) uid/euid:0/0 gid/egid:0/0, parent (gradm:31036) uid/euid:0/0 gid/egid:0/0
    Jul 10 18:18:56 rayman kernel: grsec: more alerts, logging disabled for 10 seconds
I have tried playing around with different "basic" ACL configurations but it doesn't seem to change anything at all...
So..Any ideas how to fix this error?
-Jens Andersen aka RaYmAn


Had the same problem with gradm v2.0. Took me an hour to find out I just had to mknod the grsec device because it was'nt there. A bit strange at first, because I thought the patched kernel should have created it. Maybe you've got the same problem.

Mark
Newbie
 
Posts: 1
Joined: Thu May 06, 2004 9:56 am

Previous

Return to RBAC policy development

cron