Duplicate subject found for "<some python program>"

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Duplicate subject found for "<some python program>"

Postby timbgo » Thu Jul 21, 2016 11:56 am

title: Duplicate subject found for "<some python program>"
---
I was thinking I should post my tiny investigation into a small jacksum java program apparent misbehavior, as it is a textbook example of the goodness of grsecurity's logging, even though I only later in my thinking, and still without certainty, changed the direction of where to search for solution on this issue (and finally solved it in unpredictable way, for me).

Code: Select all
# equery k jacksum
* Checking app-crypt/jacksum-1.7.0 ...
   14 out of 14 files passed

# equery k youtube-dl
* Checking net-misc/youtube-dl-2016.07.13 ...
   3759 out of 3759 files passed

# equery k java-config
* Checking dev-java/java-config-2.2.0-r3 ...
   101 out of 101 files passed

#


( see below why java-config, near the 'equery b' string )

And yet:

Code: Select all
$ cd /Cmn/src/ && jacksum -V summary -a sha256 -r -d -f -m ./ > /Cmn/src/src_$(date +%y%m%d_%H%M)_g5n &
[1] 5115
$ /usr/bin/gjl: unable to resolve symlink /usr/bin/../lib/python-exec/python-exec2: No such file or directory.
Couldn't get needed information

[1]+  Exit 1                  cd /Cmn/src/ && jacksum -V summary -a sha256 -r -d -f -m ./ > /Cmn/src/src_$(date +%y%m%d_%H%M)_g5n
$


In the logs:

Code: Select all
Jul 20 21:40:22 g0n kernel: [10964.152317] grsec: (miro:U:/bin/bash) chdir to
/Cmn/src by /bin/bash[bash:5115] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/bash[bash:4487] uid/euid:1000/1000 gid/egid:1000/1000

Jul 20 21:40:22 g0n kernel: [10964.153263] grsec: (miro:U:/) exec of /bin/date
(date +%y%m%d_%H%M ) by /bin/date[bash:5117] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:5116] uid/euid:1000/1000
gid/egid:1000/1000

Jul 20 21:40:22 g0n kernel: [10964.154196] grsec: (miro:U:/) exec of
/usr/bin/jacksum (jacksum -V summary -a sha256 -r -d -f -m ./ ) by
/usr/bin/jacksum[bash:5116] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/bash[bash:5115] uid/euid:1000/1000 gid/egid:1000/1000

Jul 20 21:40:22 g0n kernel: [10964.156972] grsec: (miro:U:/usr/bin/youtube-dl)
exec of /usr/lib64/python-exec/python-exec2 (gjl --package jacksum --get-args
--get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python-exec2[jacksum:5119] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/jacksum[jacksum:5118] uid/euid:1000/1000
gid/egid:1000/1000

Jul 20 21:40:22 g0n kernel: [10964.157373] grsec: (miro:U:/usr/bin/youtube-dl)
denied access to hidden file /usr/lib64/python-exec/python-exec2 by
/usr/lib64/python-exec/python-exec2[gjl:5119] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/jacksum[jacksum:5118] uid/euid:1000/1000
gid/egid:1000/1000


Code: Select all
# equery b /usr/bin/gjl
 * Searching for /usr/bin/gjl ...
dev-java/java-config-2.2.0-r3 (/usr/bin/gjl -> ../lib/python-exec/python-exec2)
#


And there is where the trouble is starting:

Code: Select all
$ gjl --package jacksum --get-args --get-jar jacksum.jar --get-vm
/usr/bin/gjl: unable to resolve symlink /usr/bin/../lib/python-exec/python-exec2: No such file or directory.
$


In the logs that expands to:

Code: Select all
Jul 21 01:22:00 g0n kernel: [24264.114892] grsec: (miro:U:/usr/bin/youtube-dl)
exec of /usr/lib64/python-exec/python-exec2 (gjl --package jacksum --get-args
--get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python-exec2[bash:5781] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:4487] uid/euid:1000/1000
gid/egid:1000/1000

Jul 21 01:22:00 g0n kernel: [24264.116630] grsec: (miro:U:/usr/bin/youtube-dl)
denied access to hidden file /usr/lib64/python-exec/python-exec2 by
/usr/lib64/python-exec/python-exec2[gjl:5781] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:4487] uid/euid:1000/1000
gid/egid:1000/1000


But that is the same as further above. Already seen.

Is it youtube-dl? Because the othe two packages have been around for months and: no issues...

Code: Select all
# ls -l /usr/portage/net-misc/youtube-dl/
total 120
-rw-r--r-- 1 portage portage 19460 2016-07-15 11:44 ChangeLog
-rw-r--r-- 1 portage portage 75434 2015-11-09 05:11 ChangeLog-2015
-rw-r--r-- 1 portage portage  3826 2016-07-15 11:44 Manifest
-rw-r--r-- 1 portage portage   218 2016-05-21 17:35 metadata.xml
-rw-r--r-- 1 portage portage  2185 2016-01-17 18:01 youtube-dl-2016.01.01.ebuild
-rw-r--r-- 1 portage portage  2332 2016-07-11 06:59 youtube-dl-2016.07.11.ebuild
-rw-r--r-- 1 portage portage  2332 2016-07-15 07:54 youtube-dl-2016.07.13.ebuild
-rw-r--r-- 1 portage portage   914 2015-12-26 12:24 youtube-dl-99999999.ebuild
#


It appears to be in constant development though:

Code: Select all
# ls -ltr var/log/portage_logs/ | grep -E 'jacksum|youtube-dl|java-config-[0-9]'
-rw-rw---- 1 portage portage   140291 2016-04-02 00:32 net-misc:youtube-dl-2016.01.14:20160401-223221.log

-rw-rw---- 1 portage portage   352590 2016-04-02 00:32 net-misc:youtube-dl-2016.03.27:20160401-223154.log

-rw-rw---- 1 portage portage     7619 2016-04-02 02:45 dev-java:java-config-2.2.0:20160402-004535.log

-rw-rw---- 1 portage portage    35679 2016-04-02 02:45 dev-java:java-config-2.2.0-r3:20160402-004522.log

-rw-rw---- 1 portage portage   150022 2016-04-02 05:52 net-misc:youtube-dl-2016.03.27:20160402-035247.log

-rw-rw---- 1 portage portage   389758 2016-04-02 05:52 net-misc:youtube-dl-2016.03.27:20160402-035216.log

-rw-rw---- 1 portage portage   178197 2016-05-02 18:57 net-misc:youtube-dl-2016.03.27:20160502-165746.log

-rw-rw---- 1 portage portage   416927 2016-05-02 18:57 net-misc:youtube-dl-2016.04.24:20160502-165715.log

-rw-rw---- 1 portage portage   175851 2016-06-04 07:23 net-misc:youtube-dl-2016.04.24:20160604-052351.log

-rw-rw---- 1 portage portage   419719 2016-06-04 07:23 net-misc:youtube-dl-2016.06.02:20160604-052319.log

-rw-rw---- 1 portage portage   181625 2016-06-24 17:04 net-misc:youtube-dl-2016.06.02:20160624-150405.log

-rw-rw---- 1 portage portage   430924 2016-06-24 17:04 net-misc:youtube-dl-2016.06.23.1:20160624-150332.log

-rw-rw---- 1 portage portage   185691 2016-07-07 21:26 net-misc:youtube-dl-2016.06.23.1:20160707-192604.log

-rw-rw---- 1 portage portage   439674 2016-07-07 21:26 net-misc:youtube-dl-2016.07.01:20160707-192529.log

-rw-rw---- 1 portage portage   184750 2016-07-20 12:27 net-misc:youtube-dl-2016.07.01:20160720-102720.log

-rw-rw---- 1 portage portage  1172735 2016-07-20 12:27 net-misc:youtube-dl-2016.07.13:20160720-102650.log
#


(and I could probably look further back in my archives if need be)


My new entries in package.mask:

Code: Select all
=net-misc/youtube-dl-2016.07.11
=net-misc/youtube-dl-2016.07.13


emerge -tuDN youtube-dl

...

But to no avail. Same error, same lines in the logs.


Next I try:

Code: Select all
# emerge -1 jacksum



(A reminder:

Code: Select all
$ gjl --package jacksum --get-args --get-jar jacksum.jar --get-vm
/usr/bin/gjl: unable to resolve symlink /usr/bin/../lib/python-exec/python-exec2: No such file or directory.
$

)


Code: Select all
# emerge -1 java-config


...

(The reminder would be the same.)


But let's make a variant of it:

Code: Select all
$ jacksum
/usr/bin/gjl: unable to resolve symlink /usr/bin/../lib/python-exec/python-exec2: No such file or directory.
Couldn't get needed information
$


And in the logs:


Code: Select all
Jul 21 01:55:24 g0n kernel: [26268.552369] grsec: (miro:U:/) exec of
/usr/bin/jacksum (jacksum ) by /usr/bin/jacksum[bash:10751] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:8223] uid/euid:1000/1000
gid/egid:1000/1000

Jul 21 01:55:24 g0n kernel: [26268.561737] grsec: (miro:U:/usr/bin/youtube-dl)
exec of /usr/lib64/python-exec/python-exec2 (gjl --package jacksum --get-args
--get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python-exec2[jacksum:10753] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/jacksum[jacksum:10752] uid/euid:1000/1000
gid/egid:1000/1000

Jul 21 01:55:24 g0n kernel: [26268.562306] grsec: (miro:U:/usr/bin/youtube-dl)
denied access to hidden file /usr/lib64/python-exec/python-exec2 by
/usr/lib64/python-exec/python-exec2[gjl:10753] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/jacksum[jacksum:10752] uid/euid:1000/1000
gid/egid:1000/1000



And, more tries... As root:

Code: Select all
# jacksum

Jacksum v1.7.0, Copyright (C) 2002-2006, Dipl.-Inf. (FH) Johann N. Loefflmann

Jacksum comes with ABSOLUTELY NO WARRANTY; for details see 'license.txt'.
This is free software, and you are welcome to redistribute it under certain
conditions; see 'license.txt' for details.
This software is OSI Certified Open Source Software.
OSI Certified is a certification mark of the Open Source Initiative.

Go to http://www.jonelo.de/java/jacksum/index.html to get the latest version.

For more information please type:
java -jar jacksum.jar -h en

Fuer weitere Informationen bitte eingeben:
java -jar jacksum.jar -h de

#



Code: Select all
# cd /Cmn/src/
# jacksum -V summary -a sha256 -r -d -f -m > ../src_$(date +%y%m%d_%H%M)_g5n &
[1] 10835
#


Working!

What is the matter here?

It did the work. I just (was quite a bunch in that directory to calculate) got out:

Code: Select all
#
Jacksum: processed directories: 30397
Jacksum: directory read errors: 0
Jacksum: processed files: 134149
Jacksum: processed bytes: 1046008366
Jacksum: file read errors: 0
Jacksum: elapsed time: 0 d, 0 h, 1 m, 34 s, 714 ms

[1]+  Done                    jacksum -V summary -a sha256 -r -d -f -m > ../src_$(date +%y%m%d_%H%M)_g5n
#


Just to have more complete insight, here are the corresponding lines in the syslog:

Code: Select all
Jul 21 02:05:20 g0n kernel: [26864.109187] grsec: (admin:S:/) exec of
/usr/bin/jacksum (jacksum ) by /usr/bin/jacksum[bash:10811] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:3882] uid/euid:0/0 gid/egid:0/0

Jul 21 02:05:20 g0n kernel: [26864.116015] grsec: (admin:S:/) exec of
/usr/lib64/python-exec/python-exec2 (gjl --package jacksum --get-args
--get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python-exec2[jacksum:10815] uid/euid:0/0 gid/egid:0/0,
parent /usr/bin/jacksum[jacksum:10814] uid/euid:0/0 gid/egid:0/0

Jul 21 02:05:20 g0n kernel: [26864.116935] grsec: (admin:S:/) exec of
/usr/lib64/python-exec/python3.4/gjl (/usr/lib/python-exec/python3.4/gjl
--package jacksum --get-args --get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python3.4/gjl[gjl:10815] uid/euid:0/0 gid/egid:0/0,
parent /usr/bin/jacksum[jacksum:10814] uid/euid:0/0 gid/egid:0/0

Jul 21 02:05:20 g0n kernel: [26864.178848] grsec: (admin:S:/) exec of
/usr/libexec/eselect-java/run-java-tool.bash (java -classpath
/usr/share/jacksum/lib/jacksum.jar -Djava.library.path=/lib:/usr/lib -jar
/usr/share/jacksum/lib/jacksum.jar ) by
/usr/libexec/eselect-java/run-java-tool.bash[jacksum:10811] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:3882] uid/euid:0/0 gid/egid:0/0

Jul 21 02:05:20 g0n kernel: [26864.188313] grsec: (admin:S:/) exec of
/usr/bin/which (/usr/bin/which java ) by /usr/bin/which[java:10817]
uid/euid:0/0 gid/egid:0/0, parent
/usr/libexec/eselect-java/run-java-tool.bash[java:10816] uid/euid:0/0
gid/egid:0/0

Jul 21 02:05:20 g0n kernel: [26864.190255] grsec: (admin:S:/) exec of
/opt/icedtea-bin-3.0.1/bin/java (/opt/icedtea-bin-3.0.1/bin/java -classpath
/usr/share/jacksum/lib/jacksum.jar -Djava.library.path=/lib:/usr/lib -jar
/usr/share/) by /opt/icedtea-bin-3.0.1/bin/java[java:10811] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:3882] uid/euid:0/0 gid/egid:0/0

Jul 21 02:05:20 g0n kernel: [26864.199119] grsec: (admin:S:/) chdir to
/tmp/hsperfdata_root by /opt/icedtea-bin-3.0.1/bin/java[java:10818]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3882] uid/euid:0/0
gid/egid:0/0

Jul 21 02:05:20 g0n kernel: [26864.199278] grsec: (admin:S:/) chdir to /root
by /opt/icedtea-bin-3.0.1/bin/java[java:10818] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:3882] uid/euid:0/0 gid/egid:0/0

Jul 21 02:05:20 g0n kernel: [26864.199491] grsec: (admin:S:/) chdir to
/tmp/hsperfdata_root by /opt/icedtea-bin-3.0.1/bin/java[java:10818]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3882] uid/euid:0/0
gid/egid:0/0

Jul 21 02:05:20 g0n kernel: [26864.199607] grsec: (admin:S:/) chdir to /root
by /opt/icedtea-bin-3.0.1/bin/java[java:10818] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:3882] uid/euid:0/0 gid/egid:0/0

Jul 21 02:05:29 g0n kernel: [26873.394298] grsec: (admin:S:/) exec of /bin/cat
(cat ) by /bin/cat[bash:10832] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:3882] uid/euid:0/0 gid/egid:0/0

Jul 21 02:05:49 g0n kernel: [26893.163678] grsec: (admin:S:/) chdir to
/Cmn/src by /bin/bash[bash:5008] uid/euid:0/0 gid/egid:0/0, parent
/usr/bin/urxvt[urxvt:5004] uid/euid:0/0 gid/egid:0/0

Jul 21 02:06:19 g0n kernel: [26922.829638] grsec: (admin:S:/) exec of
/bin/date (date +%y%m%d_%H%M ) by /bin/date[bash:10836] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:10835] uid/euid:0/0 gid/egid:0/0

Jul 21 02:06:19 g0n kernel: [26922.832758] grsec: (admin:S:/) exec of
/usr/bin/jacksum (jacksum -V summary -a sha256 -r -d -f -m ) by
/usr/bin/jacksum[bash:10835] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:5008] uid/euid:0/0 gid/egid:0/0

Jul 21 02:06:19 g0n kernel: [26922.838478] grsec: (admin:S:/) exec of
/usr/lib64/python-exec/python-exec2 (gjl --package jacksum --get-args
--get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python-exec2[jacksum:10840] uid/euid:0/0 gid/egid:0/0,
parent /usr/bin/jacksum[jacksum:10839] uid/euid:0/0 gid/egid:0/0

Jul 21 02:06:19 g0n kernel: [26922.839218] grsec: (admin:S:/) exec of
/usr/lib64/python-exec/python3.4/gjl (/usr/lib/python-exec/python3.4/gjl
--package jacksum --get-args --get-jar jacksum.jar --get-vm ) by
/usr/lib64/python-exec/python3.4/gjl[gjl:10840] uid/euid:0/0 gid/egid:0/0,
parent /usr/bin/jacksum[jacksum:10839] uid/euid:0/0 gid/egid:0/0

Jul 21 02:06:19 g0n kernel: [26922.898653] grsec: (admin:S:/) exec of
/usr/libexec/eselect-java/run-java-tool.bash (java -classpath
/usr/share/jacksum/lib/jacksum.jar -Djava.library.path=/lib:/usr/lib -jar
/usr/share/jacksum/lib/jacksum.jar -V ) by
/usr/libexec/eselect-java/run-java-tool.bash[jacksum:10835] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:5008] uid/euid:0/0 gid/egid:0/0

Jul 21 02:06:19 g0n kernel: [26922.907169] grsec: (admin:S:/) exec of
/usr/bin/which (/usr/bin/which java ) by /usr/bin/which[java:10842]
uid/euid:0/0 gid/egid:0/0, parent
/usr/libexec/eselect-java/run-java-tool.bash[java:10841] uid/euid:0/0
gid/egid:0/0

Jul 21 02:06:19 g0n kernel: [26922.908723] grsec: (admin:S:/) exec of
/opt/icedtea-bin-3.0.1/bin/java (/opt/icedtea-bin-3.0.1/bin/java -classpath
/usr/share/jacksum/lib/jacksum.jar -Djava.library.path=/lib:/usr/lib -jar
/usr/share/) by /opt/icedtea-bin-3.0.1/bin/java[java:10835] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:5008] uid/euid:0/0 gid/egid:0/0

Jul 21 02:06:19 g0n kernel: [26922.919299] grsec: (admin:S:/) chdir to
/tmp/hsperfdata_root by /opt/icedtea-bin-3.0.1/bin/java[java:10843]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5008] uid/euid:0/0
gid/egid:0/0

Jul 21 02:06:19 g0n kernel: [26922.919458] grsec: (admin:S:/) chdir to
/Cmn/src by /opt/icedtea-bin-3.0.1/bin/java[java:10843] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:5008] uid/euid:0/0 gid/egid:0/0

Jul 21 02:06:19 g0n kernel: [26922.919568] grsec: (admin:S:/) chdir to
/tmp/hsperfdata_root by /opt/icedtea-bin-3.0.1/bin/java[java:10843]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5008] uid/euid:0/0
gid/egid:0/0

Jul 21 02:06:19 g0n kernel: [26922.919677] grsec: (admin:S:/) chdir to
/Cmn/src by /opt/icedtea-bin-3.0.1/bin/java[java:10843] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:5008] uid/euid:0/0 gid/egid:0/0


And jacksum did the work. As admin, though. So it may be a grsecurity's GRADM permissions issue.

As admin. And this issue has popped up only after yesterday's update of my Gentoo ~amd64 system.

A permission issue? But I can't do much about it with the upstream really, other than seek advice from be it advanced grsecurity users who read this or further above. Because...

Because, in my testing (~amd64) Gentoo, the hardened kernel sources:

Code: Select all
# ls -l /usr/portage/sys-kernel/hardened-sources/ | grep hardened
-rw-r--r-- 1 portage portage   1273 2016-02-20 08:51 hardened-sources-4.3.3-r4.ebuild

-rw-r--r-- 1 portage portage   1273 2016-02-28 20:39 hardened-sources-4.4.2.ebuild

-rw-r--r-- 1 portage portage   1273 2016-04-30 19:51 hardened-sources-4.4.8-r1.ebuild

-rw-r--r-- 1 portage portage   1275 2016-06-28 13:39 hardened-sources-4.5.7-r5.ebuild

-rw-r--r-- 1 portage portage   1275 2016-07-12 21:10 hardened-sources-4.6.4.ebuild
#


are regularly updated;

and I have these installed:

Code: Select all
# equery l hardened-sources
 * Searching for hardened-sources ...
[I--] [??] sys-kernel/hardened-sources-4.5.7-r3:4.5.7-r3
[I--] [??] sys-kernel/hardened-sources-4.5.7-r7:4.5.7-r7
[IP-] [  ] sys-kernel/hardened-sources-4.6.4:4.6.4
#


, but the gradm utility:

Code: Select all
# ls -l /usr/portage/sys-apps/gradm/ | grep gradm
-rw-r--r-- 1 portage portage  1081 2016-03-16 07:50 gradm-3.1.201507191652.ebuild
-rw-r--r-- 1 portage portage  1094 2016-05-26 10:17 gradm-3.1.201603152148.ebuild
#


is not. And I suspect that maybe I should try and install a more up-to-date testing (free) gradm, first.

And also, if that is the case, since the Gentoo maintainers had explicitly asked for feedback on grsec-hardened (when it went stable-is-non-free)... [also] do provide some feedback to them...

That could be a lot of work (a lot of other work of mine to leave waiting in the queue for longer).

However, I don't believe to be safe online without a properly hardened system. To go the NSA Linux (oh I meant the SELinux) way maybe? Like somewhere I listened to even Linus recommending? Ts, ts!

I'll see what I can do to present this case, and if I can try and get a bug presented to Gentoo Hardened team, for simply the gradm utility left without maintainers' "love"...

Bugs a getting galore in Gentoo, just to present a more complete picture. Close to 100 opened (one is mine), I read just yesterday on the gentoo-dev... And there're other issues with Gentoo, too much outside the scope of this topic to tell about them.

Another post, else it'll be too unreadable.
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: Duplicate subject found for "<some python program>"

Postby timbgo » Thu Jul 21, 2016 12:02 pm

title: Duplicate subject found for "<some python program>"
---
Upon maybe fifth batch of attempted changes to my /etc/grsec/policy, here we
go:

Code: Select all
# gradm -L /etc/grsec/learning.logs -E
Duplicate subject found for "/usr/bin/youtube-dl" in role miro, on line 6523
of /etc/grsec/policy.
"/usr/bin/youtube-dl" references the same object as "/usr/bin/gjl" specified
on an earlier line.
The RBAC system will not load until this error is fixed.
#


Goodness! How can that be? Well it can! See:

Code: Select all
# ls -l /usr/bin/youtube-dl
lrwxrwxrwx 1 root root 31 2016-07-21 08:15 /usr/bin/youtube-dl ->
../lib/python-exec/python-exec2
# ls -l /usr/bin/gjl
lrwxrwxrwx 1 root root 31 2016-07-21 01:54 /usr/bin/gjl ->
../lib/python-exec/python-exec2
#


And yet...:

Code: Select all
# equery b /usr/bin/youtube-dl
 * Searching for /usr/bin/youtube-dl ...
net-misc/youtube-dl-2016.07.13 (/usr/bin/youtube-dl -> ../lib/python-exec/python-exec2)
# equery b /usr/bin/gjl
 * Searching for /usr/bin/gjl ...
dev-java/java-config-2.2.0-r3 (/usr/bin/gjl -> ../lib/python-exec/python-exec2)
#


...[yet] these files portage accounts for belonging to completely different
packages!

But I have to show the attempted changes (some of them), that brought that
"Duplicate subject..." wont-start gradm message.

Here, I added:

Code: Select all
# Role: miro
subject /usr/bin/gjl ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}

# Role: miro
subject /usr/bin/jacksum ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}

# Role: miro
subject /usr/lib64/python-exec ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}


( the last learning subject above being out of desparation ;-( )

So could this be a portage bug?

And yet, given that as admin jacksum can do any work, it is still a permission
issue.

However, I've already dedicated to this issue more than three hours (at time
of last proofreading, it's been probably 6, but I solved this). Anything
else I do these days is waiting in queue.

And it is still overwhelming for me this trying to get to the solution to this.

Any advice will be appreciated (at time of last proofreading, no need, I solved this).

I'll try leave this complete (as far as my aptitude in the matters) report,
and, with the last ounces of patience and concentration left, try and put
together a bug report on Gentoo Bugzilla.

At final proofreading time we are at.

The reason was the bad subject for youtube-dl. It was like this:

Code: Select all
# Role: miro
subject /usr/bin/youtube-dl o {
   /            h
   /bin            h
   /bin/env         x
   /etc            h
   /etc/ld.so.cache      r
   /lib64            h
   /lib64/ld-2.*.so      x
   /lib64/libc-2.*.so      rx
   /usr            h
   /usr/bin         rx
   /usr/lib64         h
   /usr/lib64/locale/locale-archive   r
   -CAP_ALL
   bind 0.0.0.0/32:0 dgram ip
   bind 127.0.0.1/32:1024-65535 stream tcp
   connect 0.0.0.0/0:1024-65535 stream dgram tcp udp
   connect 127.0.0.1/32:1024-65535 stream dgram tcp udp
   sock_allow_family unix inet
}


And I commented out the entire subject, from '# role: miro' to the last '}', as if I deleted it, and jacksum works like a breeze...

And I may be a little close to solving this issue that I already wrestled with:

youtube-dl RBAC policy
viewtopic.php?f=5&t=4268

but I'm not yet there...

---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: Duplicate subject found for "<some python program>"

Postby timbgo » Fri Dec 16, 2016 6:53 pm

Pls. see over here:
viewtopic.php?f=5&t=4268&p=16798#p16798

I just solved this issue.
---
Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am


Return to grsecurity support