ACL problem (denied connect to the unix domain socket..)

Submit your RBAC policies or suggest policy improvements

ACL problem (denied connect to the unix domain socket..)

Postby `VL » Sat Mar 05, 2005 9:01 am

I have such messages in logs,when i try to connect via ssh to box:
(passphrase asked,checked and nothnig after)

Code: Select all
Mar  5 15:27:06 serv grsec: (root:U:/sbin/devfsd) denied access to hidden file /dev/pts/2 by /sbin/devfsd[devfsd:155] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  5 15:27:06 serv grsec: (root:U:/sbin/devfsd) denied connect to the unix domain socket /dev/log by /sbin/devfsd[devfsd:155] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  5 15:27:06 serv grsec: From 192.168.0.2: (root:U:/usr/sbin/sshd) denied open of /dev/pts/2 for reading writing by /usr/sbin/sshd[sshd:19610] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:1175] uid/euid:0/0 gid/egid:0/0


It complains about /dev/pts2 is unaccessible to devfsd, although in alcs it is.

Here is my ALCs for subjects devfsd & sshd for role root:
(generated by learn, '###' means my addons)
Code: Select all
subject /usr/sbin/sshd o {
user_transition_allow root sshd vl
group_transition_allow root sshd users

        /
        /bin                            h
        /bin/bash     
        /etc                            r
        /etc/grsec                      h
        /usr                            h
        /usr/lib
        /usr/lib/libcrypto.so.0.9.7     rx
        /usr/sbin/sshd                  x
        /usr/share/zoneinfo/Europe/Moscow       r
        /var                            h
        /var/empty     
        /var/log
        /var/log/lastlog                rw
        /var/log/wtmp                   w
        /var/run/utmp                   rw
        /dev
        /dev/log                        rw
        /dev/null                       rw
        /dev/ptmx                       rw
        /dev/pts
        /dev/pts/1                      rw
        ###
        /dev/pts/2                      rw    <<<<<<<<<<<<
        ###
        /dev/urandom                    r
        /dev/grsec                      h
 /dev/mem                        h
        /dev/kmem                       h
        /dev/port                       h
        /home
        /home/vl
        /home/vl/.ssh
        /home/vl/.ssh/authorized_keys   r
        /lib                            rx
        /proc
        /proc/kcore                     h
        /proc/sys                       h
        /proc/bus                       h
        -CAP_ALL
        +CAP_CHOWN
        +CAP_FOWNER
        +CAP_FSETID
        +CAP_SETGID
        +CAP_SETUID
        +CAP_SYS_CHROOT
        bind 0.0.0.0/32:22 stream dgram ip tcp
        bind 0.0.0.0/32:0 stream dgram ip tcp
        connect 0.0.0.0/32:22 dgram udp
        connect 192.168.100.1/32:53 dgram udp
}
subject /sbin/devfsd o {
        /                               h
        /dev
        /dev/pts                        h
        /dev/pts/1                      w
        ###
        /dev/pts/2                      r
        ###
        /dev/vc                         h
        /dev/vc/12
        /dev/vcs12                      wc
        /dev/vcsa12                     wc
        /dev/grsec                      h
        /dev/mem                        h
        /dev/kmem                       h
        /dev/port                       h
        ###
        /dev/log                        r   <<<<<<<<<<<<<<<
        ###
        /lib   
        /lib/dev-state
        /lib/dev-state/vc
        /sbin/insmod                    x
        -CAP_ALL
        +CAP_CHOWN
        bind    disabled
        connect disabled
}


also, what about unix domain sockets connect? should they be in connect section? what is syntax ?

is it ok that /dev/pts/2 doesn`t exist when ALCS gradm turns on RBAC?
`VL
 
Posts: 28
Joined: Wed Feb 23, 2005 2:11 pm

Postby onyx » Sat Mar 05, 2005 10:15 pm

Think you should add w to /dev/log, read is not enough. Unix domain sockets don't go to the connect section i believe.

onyx
onyx
 
Posts: 36
Joined: Tue Jan 20, 2004 7:46 pm

Postby spender » Sun Mar 06, 2005 11:23 am

For the /dev/pts problems, changing the rule to /dev/pts instead of /dev/pts/1, etc should fix the problem and be a more functional policy. grsecurity doesn't currently handle fine-grained permissions on a devpts mount.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby `VL » Sun Mar 06, 2005 11:46 am

thank you, you are both right.

adding rw for /dev/log fixed problems with unix domain sockets and changing rule to /dev/pts fixed others.
`VL
 
Posts: 28
Joined: Wed Feb 23, 2005 2:11 pm


Return to RBAC policy development

cron