Problem with grsecurity-2.0rc1/gradm2

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Problem with grsecurity-2.0rc1/gradm2

Postby RaYmAn » Thu Jul 10, 2003 12:24 pm

Hi
I just upgraded to grsecurity-2.0rc1 today and gradm2...
I'm attempting to use the Full learning mode, but I can't seem to get it working...
when I run /sbin/gradm -F -L /etc/grsec/llog I get the following error:
    gradm -F -L /etc/grsec/llog
    Error opening /dev/grsec:
    No such file or directory
    Your request was ignored, please check the kernel logs for more info.
    Invalid password.
in my /var/log/warnings it creates the following entries:
    Jul 10 18:18:56 rayman kernel: grsec: From *: use of CAP_IPC_LOCK denied for (grlearn:15770) uid/euid:0/0 gid/egid:0/0, parent (gradm:31036) uid/euid:0/0 gid/egid:0/0
    Jul 10 18:18:56 rayman kernel: grsec: From *: use of CAP_SYS_NICE denied for (grlearn:15770) uid/euid:0/0 gid/egid:0/0, parent (gradm:31036) uid/euid:0/0 gid/egid:0/0
    Jul 10 18:18:56 rayman last message repeated 2 times
    Jul 10 18:18:56 rayman kernel: grsec: From *: denied access to hidden file /dev/grsec by (grlearn:15770) uid/euid:0/0 gid/egid:0/0, parent (gradm:31036) uid/euid:0/0 gid/egid:0/0
    Jul 10 18:18:56 rayman kernel: grsec: more alerts, logging disabled for 10 seconds

I have tried playing around with different "basic" ACL configurations but it doesn't seem to change anything at all...
So..Any ideas how to fix this error?
-Jens Andersen aka RaYmAn
RaYmAn
 
Posts: 9
Joined: Thu Jul 10, 2003 8:08 am
Location: Denmark

Postby RaYmAn » Thu Jul 10, 2003 1:04 pm

When running gradm2 cvs rather than the released version I get the added error in /var/log/warnings:
    Jul 10 19:05:53 rayman kernel: grsec: From 80.165.107.222: Invalid mode 5 by (gradm:19813) uid/euid:0/0 gid/egid:0/0, parent (bash:13737) uid/euid:0/0 gid/egid:0/0

-Jens Andersen
RaYmAn
 
Posts: 9
Joined: Thu Jul 10, 2003 8:08 am
Location: Denmark

Postby spender » Thu Jul 10, 2003 7:42 pm

use current cvs of grsecurity 2 also.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby spender » Thu Jul 10, 2003 7:43 pm

also, it looks like you're trying to enable the full learning mode when the RBAC system is already enabled. The RBAC system must be disabled for you to enable the system in full learning mode.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby RaYmAn » Fri Jul 11, 2003 8:12 am

also, it looks like you're trying to enable the full learning mode when the RBAC system is already enabled. The RBAC system must be disabled for you to enable the system in full learning mode.

Hmm. It seems you are right.
The odd thing is that I never enabled it after booting so it should really work..
but I don't know. Somehow it must have gotten enabled.
Regardless...putting it into learning mode just made everything pretty much inaccessible...Guess I should have done it while I could get physical access to it, heh
Oh well..no mail for a few hours I suppose...
-Jens Andersen
RaYmAn
 
Posts: 9
Joined: Thu Jul 10, 2003 8:08 am
Location: Denmark

Postby gkweb » Sun Jul 13, 2003 1:03 pm

Hi,

i have the same error, and me too i didn't activate anything.
I'm running my system with pre configured "Medium" security level, all works well except when i try Full learning mode, i have the error shown here.
I's weird because i just boot up, i didn't activate ACL (block all my system, i'm don't know well enough linux system to get it work) this is why i tried Full learning mode, but don't work, hope the pb will be solved soon.

In all case, really great job (how many coffee cup to do this ? o_O )

regards,

gkweb.
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm
Location: FRANCE, Rouen (76)

Postby spender » Sun Jul 13, 2003 2:44 pm

this happens for both of you with the current cvs of grsecurity 2 and gradm 2?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby gkweb » Sun Jul 13, 2003 3:01 pm

i downloaded from the website link, not cvs, i'm not very familiar with it :oops:

gkweb.

EDIT : can't make it to run on my gateway (command doesn't exists), and can't find CVS sources anywhere... so if someone could give me a link to download the last patch (i browsed CVS tree but it's not a patch) and the last gradm2, i will test it and report results as soon as possible, thanks :)
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm
Location: FRANCE, Rouen (76)

Postby RaYmAn » Mon Jul 14, 2003 2:53 am

this happens for both of you with the current cvs of grsecurity 2 and gradm 2?
-Brad

Not quite. I'm using rc1 release from website.
However, I did manage to get full learning mode enabled finally. (with rc1)
However, now I have a new problem.
I left it running for a day or so and ended up with a around 27mb log..
Fine I thought, disabled the learning and ran gradm -F -L /path/to/log -O /path/to/gen_acl
Seemed to work fine....it used around 230mb ram and used 97% cpu for around 1-2 hours, but then something happened...it crashed..only very few acls had been written to disk, but it simply crashed...I can provide you with an strace if you so wish..
However, I prefer not to have to reboot my server once again if at all possible. I figured a rc1 release would be fairly stable and hence would work on a semi-production system...(I'll have a fair deal of users bitching at me if I start rebooting with a fresh cvs every second day...)
So...Any ideas as to how to fix this? (I can provide a bit or all of the learning log if you wish to see if it's a problem with that?)

Edit: After doing some more tests the parsing seems to work with very small log files, i.e. 4kb ones work..I tried with around 300kb too but that failed just like the 27mb file.

Regards,
Jens Andersen
Last edited by RaYmAn on Mon Jul 14, 2003 7:00 am, edited 1 time in total.
RaYmAn
 
Posts: 9
Joined: Thu Jul 10, 2003 8:08 am
Location: Denmark

Postby gkweb » Mon Jul 14, 2003 6:50 am

can you provide me information to get it to work pls ?

thanks :wink:

regards,

gkweb.
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm
Location: FRANCE, Rouen (76)

Postby RaYmAn » Mon Jul 14, 2003 6:58 am

can you provide me information to get it to work pls ?

Well..I can try..
I'm pretty sure that all I did to get it work was that I ran gradm -D, entered password and then it said the RBAC system was disabled now, and then I could run gradm -F(...) and it worked just fine...except for the parsing of the resulting log files, but I think that's an unrelated problem...

-Jens Andersen
RaYmAn
 
Posts: 9
Joined: Thu Jul 10, 2003 8:08 am
Location: Denmark

Postby gkweb » Mon Jul 14, 2003 8:03 am

it doesn't work for me, i enter gradm -D, it tell me to enter password, and after again the error "Error opening dev/grsec:"

(grsecurity version available on the website).
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm
Location: FRANCE, Rouen (76)

Postby gkweb » Mon Jul 14, 2003 8:41 pm

i downloaded last CVS version, and now no error messages, it accept the command, but the system freeze within 5s, have to reboot with reset button.
May be it's because i use the lastest gradm2 version with the grsecurity patch 2.0-rc1 from the website link (not the last version) ?

I have the lastests grsecurity2 files on my hardrive but i don't know who to merge them in a "patch" file, is there a command ?

regards,

gkweb.
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm
Location: FRANCE, Rouen (76)

Postby spender » Mon Jul 14, 2003 11:31 pm

rayman: i'd like to see a gdb backtrace of gradm. If you could, add -ggdb to the CFLAGS in the makefile and comment the lines that strip the binary. Run gradm under gdb and when it crashes, enter "bt". Post the backtrace here.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby spender » Mon Jul 14, 2003 11:50 pm

also, you can mail the 300kb learning log to spender@grsecurity.net

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Next

Return to RBAC policy development