(::::kernel::::S:/) ?????

Submit your RBAC policies or suggest policy improvements

(::::kernel::::S:/) ?????

Postby Kurodo » Wed Sep 15, 2004 9:19 am

Hi!
I cannot understand what to do in this case:

kernel: grsec: (:::kernel::::S:/) denied open of /proc/bus/usb/002/002 for reading writing by /usr/sbin/usbmodules[usbmodules:264] uid/euid:0/0 gid/egid:0/0, parent /etc/hotplug/usb.agent[usb.agent:2824] uid/euid:0/0 gid/egid:0/0

Please. Help me.
Kurodo
 
Posts: 9
Joined: Wed Sep 15, 2004 9:05 am

Postby spender » Thu Sep 16, 2004 3:40 pm

This should be fixed in the current CVS of gradm2.

Try applying the following patch:

http://cvsweb.grsecurity.net/index.cgi/ ... 1=1.38&f=u
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Kurodo » Fri Sep 17, 2004 5:07 am

There it: "Content-type: text/plain"
It is such joke? A patch for my silly head?
:-(
Kurodo
 
Posts: 9
Joined: Wed Sep 15, 2004 9:05 am

Postby spender » Fri Sep 17, 2004 9:21 am

Sorry, had to install some more things on the new server (I transitioned to it yesterday). Reload the link, it'll work now.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Kurodo » Fri Sep 17, 2004 1:35 pm

Thank you, mr. Spengler. Good luck!
Last edited by Kurodo on Thu Jan 20, 2005 10:03 am, edited 1 time in total.
Kurodo
 
Posts: 9
Joined: Wed Sep 15, 2004 9:05 am

OpenCT problem.

Postby Kurodo » Mon Sep 20, 2004 6:36 am

Hi!
In continuation of a problem described earlier...
We Have:

kernel: grsec: (:::kernel::::S:/) denied open of /var/run/openct/status for reading writing by /usr/local/sbin/ifdhandler[ifdhandler:32186] uid/euid:0/0 gid/egid:0/0, parent /usr/local/sbin/openct-control[openct-control:14450] uid/euid:0/0 gid/egid:0/0

kernel: grsec: (:::kernel::::S:/) denied create of /var/run/openct/status.30186 for reading writing by /usr/local/sbin/ifdhandler[ifdhandler:30186] uid/euid:0/0 gid/egid:0/0, parent /usr/local/sbin/openct-control[openct-control:21043] uid/euid:0/0 gid/egid:0/0

kernel: grsec: (:::kernel::::S:/) denied unlink of /var/run/openct/0 by /usr/local/sbin/ifdhandler[ifdhandler:15876] uid/euid:0/0 gid/egid:0/0, parent /usr/local/sbin/ifdhandler[ifdhandler:30186] uid/euid:0/0 gid/egid:0/0

kernel: grsec: (:::kernel::::S:/) denied mknod of /var/run/openct/0 by /usr/local/sbin/ifdhandler[ifdhandler:15876] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


Whether will be correct, by analogy with /proc/bus/usb, to make the following changes to an source code gradm_adm.c:

if (!add_proc_object_acl
(current_subject, "/var/run/openct", proc_object_mode_conv("rwcd"), GR_FEXIST))
exit(EXIT_FAILURE);

I have tried also it have worked, but is confident that you offer more correct and safe decision.

Thanks!
P.S. Excuse for bad language! :oops:
Last edited by Kurodo on Fri Jan 21, 2005 2:56 am, edited 2 times in total.
Kurodo
 
Posts: 9
Joined: Wed Sep 15, 2004 9:05 am

Postby Kurodo » Thu Jan 20, 2005 10:57 am

Hi!
When I use version 2.1.0, i have analogous problems again:

kurodo kernel: grsec: (:::kernel::::S:/) denied link of /var/run/openct/status.5577 to /var/run/openct/status.lock by /usr/local/sbin/ifdhandler[ifdhandler:5577] uid/euid:0/0 gid/egid:0/0, parent /usr/local/sbin/openct-control[openct-control:32109] uid/euid:0/0 gid/egid:0/0

Is true to accept this patch for correct?

Code: Select all
--- gradm_adm.c 2005-01-20 17:49:31.000000000 +0300
+++ gradm_adm.c 2005-01-20 17:43:18.000000000 +0300
@@ -117,7 +117,7 @@ add_kernel_acl(void)

        add_proc_subject_acl(current_role, "/", proc_subject_mode_conv("o"), 0);

-       add_proc_object_acl(current_subject, "/", proc_object_mode_conv("rwxcd"), GR_FEXIST);
+       add_proc_object_acl(current_subject, "/", proc_object_mode_conv("rwxcdl"), GR_FEXIST);
        add_proc_object_acl(current_subject, GRSEC_DIR, proc_object_mode_conv("h"), GR_FEXIST);

        return;

Kurodo
 
Posts: 9
Joined: Wed Sep 15, 2004 9:05 am

Postby spender » Fri Jan 21, 2005 11:23 am

Thanks, fixed.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

grsec: (:::kernel::::S:/) denied send of signal 14

Postby Einon » Mon Jan 16, 2006 5:44 am

Hi!

Recently the same kernel that is used for at least 6 month now started to produce these log messages:

Jan 16 07:57:14 vasquez kernel: grsec: (:::kernel::::S:/) denied send of signal 14 to protected task /usr/sbin/spamd[spamd:20704] uid/euid:8/8
gid/egid:8/8, parent /usr/sbin/spamd[spamd:28399] uid/euid:8/8 gid/egid:8/8 by /[nfsd:3336] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Any idea what is this, and how to solve it?
Einon
 
Posts: 10
Joined: Tue Mar 22, 2005 6:40 am

Postby spender » Mon Jan 16, 2006 12:45 pm

Upgrade to the latest version of grsecurity.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development

cron