Policy Problem

Submit your RBAC policies or suggest policy improvements

Policy Problem

Postby stevie » Thu Sep 13, 2007 5:23 am

Hello,

i dont understand, how the role system works. When i enable RBAC, i am not able to log in with ssh. I am getting the following errors:

Sep 13 11:23:04 XXXXXXXX kernel: grsec: From XXX.XXX.XXX.XXX: (default:D:/usr/sbin/sshd) denied access to hidden file
/var/run by /usr/sbin/sshd[sshd:4055] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:1848] uid/euid:0/0 gid/egid:0/0
Sep 13 11:23:04 XXXXXXXX kernel: grsec: From XXX.XXX.XXX.XXX: (default:D:/usr/sbin/sshd) denied access to hidden file
/ by /usr/sbin/sshd[sshd:4055] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:1848] uid/euid:0/0 gid/egid:0/0

Why is the default role matching there? I have got a root role und in this role i got the subject usr/sbin/sshd. And in this subject i have allowed read rights to /var/run and / . Why is this not working? The rules are all learned from full system learning, but the read acces to / and /var/run are added by myself.

A part of my acl:

role admin sA
subject / rvka
/ rwcdmlxi

role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}

role root uG
role_transitions admin
role_allow_ip 0.0.0.0/0
subject / {
/
/bin rx
/etc rx
/etc/grsec h
/etc/ssh h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/dev
/dev/null rw
/dev/tty rw
/dev/urandom r
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/lib rx
/proc r
/proc/kcore h
/proc/sys h
/proc/bus h
/root
/root/.ftplicity
/root/.ftplicity/conf r
/root/nixspam.pl r
/root/spam-stat.pl r
/tmp rwcd
/usr
/usr/local rx
/usr/sbin h
/usr/sbin/imaplogin x
/usr/sbin/pop3login x
/usr/sbin/scponlyc
/usr/share r
/usr/bin rx
/usr/lib rx
/var
/var/cache h
/var/cache/man/index.db r
/var/cache/man/oldlocal/index.db r
/var/lib r
/var/spool h
/var/spool/cron/atjobs
/var/log
/var/log/learning.log r
/var/log/syslog r
/var/opt rx
/var/qmail
/var/qmail/bin/qmail-inject x
/var/qmail/bin/qmail-qsheff x
/var/qmail/bin/sendmail x
/var/qmail/control/me r
/var/www
/var/www/vhosts r
-CAP_ALL
bind disabled
connect disabled
}

[...]

subject /usr/sbin/sshd o {
user_transition_allow root
group_transition_allow root

/ r
/bin h
/bin/bash x
/dev h
/dev/log rw
/dev/null rw
/dev/ptmx rw
/dev/pts rw
/dev/tty rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/usr h
/usr/lib rx
/usr/sbin/sshd x
/var h
/var/log
/var/log/lastlog rw
/var/log/wtmp w
/var/mail/root
/var/run r
/var/run/motd r
/var/run/utmp rw
/lib rx
/proc r
/proc/kcore h
/proc/bus h
/root
/root/.ssh
/root/.ssh/authorized_keys r
/tmp wcd
/sys h
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
+CAP_SYS_RESOURCE
+CAP_SYS_TTY_CONFIG
bind 0.0.0.0/32:22 stream dgram ip tcp
bind 0.0.0.0/32:0 stream dgram ip tcp
connect 0.0.0.0/32:22 dgram udp
connect XXX.XXX.XXX.XXX/32:53 dgram udp
}
stevie
 
Posts: 2
Joined: Mon Sep 10, 2007 5:57 am

Postby spender » Thu Sep 20, 2007 6:02 pm

Does it work when you remove the "role_allow_ip 0.0.0.0/0" line?

What user are you logging in as?
Did you log in as that user during learning?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development