learning usage

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

learning usage

Postby Mitya » Tue Nov 23, 2004 8:58 am

Hi all,

I have:
sarge
2.4.28
gradm2.0.2

I would like to create ACLs for my POSTFIX. I have tried a following:

in the "root" role:

subject /usr/lib/postfix lo {
/ h
bind disabled
connect disabled
}

after that:
gradm -L /etc/grsec/postfix.log -E

Postfix runs, sends the mails, but nothing in the log file...


After that, I have tried this ACL:
subject /usr/lib/postfix o {
/var/spool/postfix rw
/var/spool/postfix/lib rx
/var/mail w
/dev/log rw
/dev/null rw
/dev/urandom r
/etc/aliases
/etc/postfix rw
/etc r
/etc/grsec h
/lib rx
/usr/lib rx
/usr/share/zoneinfo r
/var/tmp rwcd
/ h

-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT

connect 0.0.0.0/0:53 stream dgram ip tcp udp
connect 0.0.0.0/0:25 stream ip tcp
bind disabled
}


And then I can see the following in the syslog:

Nov 22 01:46:04 gep kernel: grsec: From x.x.x.x: (root:U:/) denied access to
hidden file /dev/log by /usr/lib/postfix/smtpd[smtpd:12674] uid/euid:0/0
gid/egid:0/0, parent /usr/lib/postfix/master[master:7612] uid/euid:0/0
gid/egid:0/0
Nov 22 01:46:04 get kernel: grsec: From x.x.x.x: (root:U:/) denied access to
hidden file /etc/passwd by /usr/lib/postfix/smtpd[smtpd:12674] uid/euid:0/0
gid/egid:0/0, parent /usr/lib/postfix/master[master:7612] uid/euid:0/0
gid/egid:0/0
Nov 22 01:46:04 gep kernel: grsec: From x.x.x.x: (root:U:/) denied access to
hidden file /dev/log by /usr/lib/postfix/smtpd[smtpd:12674] uid/euid:0/0
gid/egid:0/0, parent /usr/lib/postfix/master[master:7612] uid/euid:0/0
gid/egid:0/0
Nov 22 01:46:37 gep kernel: grsec: From x.x.x.x: (root:U:/) use of CAP_SETGID
denied for /usr/lib/postfix/master[master:7612] uid/euid:0/0 gid/egid:0/0,
parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[...]
Nov 22 01:46:37 gep postfix/master[7612]: fatal: set_eugid: setegid(102):
Operation not permitted


It seems, that these processes DOES NOT match with the above subject name...

Why?????

Thx: Mitya
Mitya
 
Posts: 5
Joined: Tue Nov 23, 2004 8:47 am

Postby spender » Tue Nov 23, 2004 9:37 am

You'll have to paste your entire policy or mail it to me. Probably what happened is you don't have that subject below the role root u line.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: learning usage

Postby Hue-Bond » Mon Dec 13, 2004 5:19 pm

>subject /usr/lib/postfix lo {
> / h
> bind disabled
> connect disabled
>}
>
>after that:
>gradm -L /etc/grsec/postfix.log -E

Postfix uses a number of processes to do things. The idea is to distribute work among several processes; that way, each one of them has a well defined task and is less prone to bugs.

You can enable full learning system for a while and grep "/usr/lib/postfix" before generating the ACL so the log file won't be huge and you won't run into memory problems.
Hue-Bond
 
Posts: 34
Joined: Mon Dec 13, 2004 4:31 pm


Return to RBAC policy development

cron