Why is /var writable by root after learning ?

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Why is /var writable by root after learning ?

Postby PhilSkuse » Mon Oct 25, 2004 9:53 am

I've installed grsec-2.0.1 on Linux 2.4.27 and performed full system learning.
For some reason /var is writable by root, but I can't understand why. From reading the generated acl I would expect it to be read only. I don't actually need RBAC, so I haven't authenticated to any role.

What am I missing?

[root@Tusker /]# uname -a
Linux Tusker 2.4.27-grsec #1 Wed Oct 20 12:53:30 BST 2004 i686 i686 i386 GNU/Linux
[root@Tusker /]# gradm -S
The RBAC system is currently enabled.
[root@Tusker /]# touch newfile
touch: cannot touch `newfile': Permission denied
[root@Tusker /]# tail -1 /var/log/messages
Oct 25 14:40:46 Tusker kernel: grsec: From 10.1.48.2: (default:D:/) denied create of /newfile for writing by /bin/touch[touch:18655] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:870] uid/euid:0/0 gid/egid:0/0
[root@Tusker /]# cd /var
[root@Tusker var]# touch newfile
[root@Tusker var]# ls -l newfile
-rw-r--r-- 1 root root 0 Oct 25 14:41 newfile
[root@Tusker var]# gradm -D
Password:
[root@Tusker var]# cat /etc/grsec/acl
role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}

role geronimo u
role_allow_ip 0.0.0.0/0
subject / {
/ h
/var r
/var/log h
-CAP_ALL
bind disabled
connect disabled
}


role root uG
role_allow_ip 0.0.0.0/32
role_allow_ip 10.1.0.0/16
subject / {
/
/bin x
/dev h
/dev/initctl
/dev/tty rw
/etc rx
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/proc h
/proc/meminfo r
/proc/sys/kernel/version r
/sbin h
/sbin/consoletype x
/usr h
/usr/bin rx
/usr/lib h
/usr/lib/gconv/gconv-modules.cache r
/usr/lib/libgpm.so.1.19.0 rx
/usr/lib/libncurses.so.5.3 rx
/usr/lib/locale/locale-archive r
/usr/local h
/usr/local/apache2/conf/httpd.conf r
/usr/sbin h
/usr/sbin/anacron x
/usr/sbin/logrotate x
/usr/sbin/tmpwatch x
/usr/share h
/usr/share/locale/locale.alias r
/usr/share/terminfo/d/dtterm r
/var r
-CAP_ALL
bind disabled
connect disabled
}

subject /bin/bash o {
/
/bin x
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/lib/i686 h
/lib/i686/libc-2.3.2.so rx
/proc h
/proc/meminfo r
/sbin h
/sbin/consoletype x
/sbin/gradm x
/tmp h
/tmp/logrotate.rqyxh1 r
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
/root/.bash_history ra
/root/.bash_logout r
/root/.bash_profile r
/root/.bashrc r
/usr
/usr/bin x
/usr/lib h
/usr/lib/gconv/gconv-modules.cache r
/usr/lib/locale/locale-archive r
/usr/local
/usr/local/apache2
/var
-CAP_ALL
bind disabled
connect disabled
}

subject /bin/login o {
/ h
/bin h
/bin/login x
/dev h
/dev/log rw
/dev/pts/0 rw
/etc r
/etc/ssh h
/etc/grsec h
/lib rx
/proc h
/proc/29482
/usr h
/usr/lib/libcrack.so.2.7 rx
/usr/lib/libglib-1.2.so.0.0.10 rx
/var h
/var/log/lastlog rw
/var/log/wtmp w
/var/run/utmp rw
/var/spool/mail
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FOWNER
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_TTY_CONFIG
bind 0.0.0.0/32:0 dgram ip
connect 10.1.48.4/32:53 dgram udp
}

subject /sbin/syslogd o {
/ h
/etc/services r
/etc/syslog.conf r
/var/log a
-CAP_ALL
bind disabled
connect disabled
}

subject /usr/local/apache2/bin/httpd o {
/ h
/etc/group r
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect 0.0.0.0/32:80 stream tcp
}

subject /usr/sbin/anacron o {
/ h
/dev h
/dev/log rw
/dev/null rw
/etc h
/etc/anacrontab r
/etc/ld.so.cache r
/etc/localtime r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/usr h
/usr/sbin/anacron x
/var h
/var/spool/anacron
/var/spool/anacron/cron.daily rw
/var/spool/anacron/cron.weekly rw
-CAP_ALL
bind disabled
connect disabled
}

subject /usr/sbin/crond o {
/
/bin h
/bin/bash x
/etc h
/etc/cron.d
/etc/crontab
/etc/group r
/var h
/var/spool/cron
/dev/grsec h
/proc/kcore h
/proc/sys h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}

subject /usr/sbin/in.telnetd o {
/ h
/bin h
/bin/login x
/dev h
/dev/ptmx rw
/dev/pts
/dev/pts/0 rw
/dev/tty rw
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/etc/passwd h
/lib rx
/usr h
/usr/sbin/in.telnetd x
/var h
/var/log/wtmp w
/var/run/utmp rw
-CAP_ALL
+CAP_CHOWN
+CAP_FOWNER
+CAP_FSETID
bind 0.0.0.0/32:0 dgram ip
connect 10.1.48.4/32:53 dgram udp
}

subject /usr/sbin/logrotate o {
/ r
/bin h
/bin/bash x
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/lib/libnss_files-2.3.2.so rx
/usr h
/usr/lib/libpopt.so.0.0.0 rx
/usr/sbin/logrotate x
/var h
/var/lib
/var/lib/logrotate.status rw
/var/log rwcd
/tmp
/tmp/logrotate.rqyxh1 rwcd
/dev/grsec h
/proc/kcore h
/proc/sys h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
bind disabled
connect disabled
}

subject /usr/sbin/tmpwatch o {
/
/etc h
/etc/ld.so.cache r
/lib h
/lib/i686/libc-2.3.2.so rx
/lib/ld-2.3.2.so x
/usr h
/usr/sbin/tmpwatch x
/tmp w
/var w
/var/log h
/dev/grsec h
/proc/kcore h
/proc/sys h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
bind disabled
connect disabled
}

subject /usr/sbin/xinetd o {
/ h
/etc/hosts.allow r
/etc/hosts.deny r
/usr/sbin/in.telnetd x
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind 10.1.48.51/32:0 stream tcp
connect 10.1.0.0/16:113 stream tcp
}


role ntp u
role_allow_ip 0.0.0.0/32
subject / {
/ h
-CAP_ALL
bind disabled
connect disabled
}

subject /usr/sbin/ntpd o {
/ h
/var/lib/ntp
/var/lib/ntp/drift rwcd
/var/lib/ntp/drift.TEMP rwcd
-CAP_ALL
+CAP_SYS_TIME
bind disabled
connect 10.1.0.0/16:1024-65535 dgram udp
connect 10.1.0.0/16:123 dgram udp
}


role pskuse u
role_allow_ip 10.1.0.0/16
subject / {
/ h
/bin x
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/home h
/home/pskuse
/home/pskuse/.bash_history ra
/home/pskuse/.bash_logout r
/home/pskuse/.bash_profile r
/home/pskuse/.bashrc r
/lib rx
/proc h
/proc/meminfo r
/sbin h
/sbin/consoletype x
/usr h
/usr/bin x
/usr/lib h
/usr/lib/gconv/gconv-modules.cache r
/usr/lib/libgpm.so.1.19.0 rx
/usr/lib/libncurses.so.5.3 rx
/usr/lib/locale/locale-archive r
/usr/share h
/usr/share/locale/locale.alias r
/usr/share/terminfo/d/dtterm r
/var h
/var/spool/mail/pskuse
/dev
/dev/null w
/dev/tty rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
bind disabled
connect disabled
}


subject /bin/su o {
/ h
/bin h
/bin/su x
/dev h
/dev/log rw
/etc r
/etc/ssh h
/etc/grsec h
/lib rx
/proc h
/proc/22249
/usr h
/usr/lib/libcrack.so.2.7 rx
/usr/lib/locale/locale-archive r
/var h
/var/run/utmp rw
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}
PhilSkuse
 
Posts: 9
Joined: Thu Nov 07, 2002 5:53 am
Location: UK

Postby spender » Mon Oct 25, 2004 8:41 pm

The policy file is /etc/grsec/policy. It is no longer /etc/grsec/acl.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby PhilSkuse » Tue Oct 26, 2004 4:21 am

Thanks Brad. I knew it had to be something like that.
PhilSkuse
 
Posts: 9
Joined: Thu Nov 07, 2002 5:53 am
Location: UK


Return to RBAC policy development

cron