Page 1 of 1

My Hard Earned RBAC policy for Mutt

PostPosted: Thu Jul 16, 2015 2:07 pm
by timbgo
I have solved an issue that unexpectedly appeared and annoyed me in all of some 15 to 20 hours that I was recompiling Mutt.

You can see the video (if you have the spare 5 minutes of its duration), but if you don't, I'll try and explain.

http://www.croatiafidelis.hr/foss/cap/c ... entoo.webm

You need to understand, that Mutt is a mail client and transfer agent, probably the most sane there is, but not a GUI one. Rather, programmers and advanced users do their emailing with it.

Advanced users, bear a little patience. I like also the newbies to be able to understand.

Every mail client displays mail, and it displays the content primarily. While Mutt can be set to first display all the headers every time you open an email in the terminal you are running Mutt in, and when you're done looking at them, show you the content, the Mutt that I have been using for months in my Gentoo, which I build with the Portage package management of Gentoo, has been always showing me the long pages of headers, and I had to PgDwn to get to the contents of emails, and that behavior wasn't settable nor fixable in any way.

Also, Mutt has a really fine manual which at the press of F1, you can get in the same terminal window that you have opened the Mutt in, and you get it in place of Mutt, look it up, close it when you are done, and you are back in Mutt. And in my Gentoo Mutt that feature was deliberately not available because the developers in charge deemed it unseemly.

For these (and other) reasons, I decided to try and find a way in Gentoo Portage, write my own ebuild from the official one, and deploy Mutt with content shown in mails as default, and not headers, and with the manual available in Mutt.

The lengthy discussion on that matter with ups and downs is available on Gentoo Forums. The most recent starts at:

Mutt without Portage/in Local Overlay
https://forums.gentoo.org/viewtopic-t-1 ... ml#7779222

And you can see that I here and there in that discussion and research decided to do it the out-of-portage way, the complilation from source that is independent of the package managers of various Linuces.

And I, at first, got me the completely functional Mutt, as I wanted, from out-of-portage compilation.

However, almost a day ago, all of a sudden, upon a recompilation, even the out-of-portage Mutt started behaving just like the one built from official Gentoo portage!

It showed, after a lot of recompiling, a lot of looking into the logs, a lot of pouring over, that some of the issues were related to my grsecurity policies, and that is why I've opened this topic.

In some maybe a dozen recompilations, at long last, I, apparently, fixed all the issues. I thought this might be somewhat a typical case of setting up policies, and that it would be useful for me and for others to post this, so the lesser advanced like me, and those yet new and willing to read and learn, would benefit from my experience.

It's all pretty all over the place, in the build logs, the system log, in my notes, and, the solutions themselves, in my recollection. I'll try to put it together and say the most important parts.

I always work on a copy of /etc/grsec/policy file, and not on the file itself:

Code: Select all
# cp -iav /etc/grsec/policy grsec_150714_g0n_05

But that one wasn't less than a day ago, but almost two days ago? It's that I also clone my systems, and keep the master copy never to see online, never ever, but only a cloned copy of the system on another same hardware system goes online.

When I messed up last night late (it is now early evening in Europe), I restored that master system from backup, as I was incredulous that the functionality of showing me the content of mails, and the manual, was not anymore there. That one I reused not much earlier than the others, in a row:

Code: Select all
$ ls -l
total 1456
-rw------- 1 root root 113575 2015-07-14 23:56 grsec_150714_g0n_05
-rw------- 1 root root 113603 2015-07-16 08:15 grsec_150716_g0n_00
-rw------- 1 root root 113627 2015-07-16 08:24 grsec_150716_g0n_01
-rw------- 1 root root 113483 2015-07-16 08:30 grsec_150716_g0n_02
-rw------- 1 root root 113533 2015-07-16 08:39 grsec_150716_g0n_03
-rw------- 1 root root 114003 2015-07-16 08:49 grsec_150716_g0n_04
-rw------- 1 root root 114022 2015-07-16 08:52 grsec_150716_g0n_05
-rw------- 1 root root 114005 2015-07-16 10:14 grsec_150716_g0n_06
-rw------- 1 root root 114059 2015-07-16 11:21 grsec_150716_g0n_07
-rw------- 1 root root 114060 2015-07-16 11:32 grsec_150716_g0n_08
-rw------- 1 root root 114065 2015-07-16 11:46 grsec_150716_g0n_09
-rw------- 1 root root 114083 2015-07-16 11:57 grsec_150716_g0n_10
-rw------- 1 root root 114115 2015-07-16 15:06 grsec_150716_g0n_11


Let me see:

# diff grsec_150714_g0n_05 grsec_150716_g0n_00
Code: Select all
4325a4326
>    /usr/share/automake-1.15   r
#

I remember vaguely that my compilation of Mutt wouldn't be successful, because there were lines like.

# grep '\/usr\/share\/automake-1.15' /var/log/messages | grep denied
Code: Select all
Jul 16 08:18:23 gbn kernel: [ 4659.521289] grsec: (miro:U:/bin/cp) denied access to hidden file /usr/share/automake-1.15/compile by /bin/cp[cp:3457] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/automake-1.15[automake-1.15:3256] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 08:18:23 gbn kernel: [ 4659.535785] grsec: (miro:U:/bin/cp) denied access to hidden file /usr/share/automake-1.15/install-sh by /bin/cp[cp:3460] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/automake-1.15[automake-1.15:3256] uid/euid:1000/1000 gid/egid:1000/1000

( it will be consistently actual output from my logs, lest I don't post something wrong )

The next diff:
# diff grsec_150716_g0n_00 grsec_150716_g0n_01
Code: Select all
4326a4327
>    /usr/share/gnuconfig   r

shows that I added that line because of

# grep '\/usr\/share\/gnuconfig' /var/log/messages | grep denied
Code: Select all
Jul 16 08:18:23 gbn kernel: [ 4659.526164] grsec: (miro:U:/bin/cp) denied access to hidden file /usr/share/gnuconfig/config.guess by /bin/cp[cp:3458] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/automake-1.15[automake-1.15:3256] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 08:18:23 gbn kernel: [ 4659.530377] grsec: (miro:U:/bin/cp) denied access to hidden file /usr/share/gnuconfig/config.sub by /bin/cp[cp:3459] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/automake-1.15[automake-1.15:3256] uid/euid:1000/1000 gid/egid:1000/1000


It shows that I missed allowing the entire compiler, look

# diff grsec_150716_g0n_01 grsec_150716_g0n_02
Code: Select all
639,641c639,641
< #   /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4   
< #   /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4/x86_64-pc-linux-gnu-g++   x
< #   /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4/x86_64-pc-linux-gnu-gcc   x
---
> #   /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5   
> #   /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-g++   x
> #   /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc   x
2988c2988
< subject /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.4/cc1 o {
---
> subject /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1 o {
3009c3009
<    /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.4/cc1   x
---
>    /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1   x
3500c3500
<    /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4   
---
>    /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5   
3505,3507d3504
<    /var/lib/rkhunter/tmp/mirrors.dat.6hadQeOMUw   w
<    /var/lib/rkhunter/tmp/mirrors.dat.cy1b9KDXNC   w
<    /var/lib/rkhunter/tmp/rkhunter.upd.dA7ntnkWDc   


I had updated to version 4.8.5 of gcc, but in the policy there was still 4.8.4. No go.

I had to figure that out from the logs, however (this one is human recollection brought here, I thought pretty hard to figure it out!)

# grep '\/cc1' /var/log/messages | grep denied
Code: Select all
Jul 16 08:33:22 gbn kernel: [ 5559.034156] grsec: (miro:U:/) denied open of /usr/include/stdc-predef.h for reading by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:6240] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:6239] uid/euid:1000/1000 gid/egid:1000/1000
...

Jul 16 08:52:35 gbn kernel: [ 6712.502051] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied create of /home/miro/hg/mutt/conftest.dir/sub/conftest.TPo for writing by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:8296] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:8295] uid/euid:1000/1000 gid/egid:1000/1000
...
Jul 16 10:20:39 gbn kernel: [ 4504.366922] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied create of /home/miro/hg/mutt/conftest.dir/sub/conftest.TPo for writing by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:9370] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:9369] uid/euid:1000/1000 gid/egid:1000/1000
...
Jul 16 11:45:19 gbn kernel: [ 9587.573225] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied open of /tmp/cgaDVr78/dummy.c for reading by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:22110] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:22109] uid/euid:1000/1000 gid/egid:1000/1000


What I remeber, is my sense of almost helplessness when I saw the build process complain in the config.log:
compiler can not make executable


==***===
I know these are not yet complete informatin without the roles and the subjects those added lines apply to, but allow me to glean just a little more from the diffs, and then the complete added policies to which those lines respectively belong.
==***===

# diff grsec_150716_g0n_02 grsec_150716_g0n_03
Code: Select all
4178a4179
>    /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.4/cc1   x
#


This one almost is one, as here I added the role for user myself to allow compiling, as user

# diff grsec_150716_g0n_03 grsec_150716_g0n_04
Code: Select all
4179d4178
<    /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.4/cc1   x
5820a5820,5850
> }
>
> # Role: miro
> subject /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1 o {
>    /            h
>    /dev            
>    /dev/grsec         h
>    /dev/kmem         h
>    /dev/log         h
>    /dev/mem         h
>    /dev/null         rw
>    /dev/port         h
>    /dev/urandom         r
>    /etc            h
>    /etc/ld.so.cache      r
>    /lib64            rx
>    /lib64/modules         h
>    /proc            h
>    /proc/meminfo         r
>    /tmp            w
>    /usr            
>    /usr/include         r
>    /usr/lib64         rx
>    /usr/libexec         h
>    /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1   x
>    /usr/share         h
>    /usr/share/locale      r
>    /usr/src         rwxc
>    -CAP_ALL
>    bind   disabled
>    connect   disabled
#


This one was because the compiler couldn't write in the ~/hg/mutt/ originally mercurial download directory:

# diff grsec_150716_g0n_04 grsec_150716_g0n_05
Code: Select all
5834a5835
>    /home/miro/hg      rw


Let me try and remember what the message was that taught me to add that line...

Code: Select all
Jul 16 08:03:39 gbn kernel: [ 3775.397504] grsec: (miro:U:/bin/bash) denied untrusted exec (due to being in untrusted group and file in non-root-owned directory) of /home/miro/hg/mutt/prepare by /home/miro/hg/mutt/prepare[bash:2435] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2936] uid/euid:1000/1000 gid/egid:1000/1000
...
Jul 16 08:44:40 gbn kernel: [ 6237.721055] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied access to hidden file /home/miro/hg/mutt/conftest.c by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:7554] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:7553] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 08:52:35 gbn kernel: [ 6712.470007] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied create of /home/miro/hg/mutt/conftest.dir/sub/conftest.TPo for writing by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:8291] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:8290] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 08:56:50 gbn kernel: [ 6968.228219] grsec: (miro:U:/usr/bin/lynx) denied open of /home/miro/hg/mutt/doc/manual.html for reading by /usr/bin/lynx[lynx:12260] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:12259] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 09:25:06 gbn kernel: [ 1169.540701] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied create of /home/miro/hg/mutt/conftest.dir/sub/conftest.TPo for writing by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:4224] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:4223] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 09:25:06 gbn kernel: [ 1169.676216] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1) denied create of /home/miro/hg/mutt/conftest.dir/sub/conftest.o for writing by /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1[cc1:4254] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/4.8.5/x86_64-pc-linux-gnu-gcc[gcc:4253] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 10:26:43 gbn kernel: [ 4869.169943] grsec: (miro:U:/usr/bin/lynx) denied open of /home/miro/hg/mutt/doc/manual.html for reading by /usr/bin/lynx[lynx:13264] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:13263] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 11:34:41 gbn kernel: [ 8949.693924] grsec: (miro:U:/usr/bin/lynx) denied open of /home/miro/hg/mutt/doc/manual.html for reading by /usr/bin/lynx[lynx:19995] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:19994] uid/euid:1000/1000 gid/egid:1000/1000



===========************===========
===========************===========

Let's see the entire policies, the ones that I have changed and that now were working better (no, not all te work was yet done!).

This one, as I already mentioned, was a complete new addition:

Code: Select all
# Role: miro
subject /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1 o {
   /            h
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/null         rw
   /dev/port         h
   /dev/urandom         r
   /etc            h
   /etc/ld.so.cache      r
   /home/miro/hg      rw
   /lib64            rx
   /lib64/modules         h
   /proc            h
   /proc/meminfo         r
   /tmp            w
   /usr            
   /usr/include         r
   /usr/lib64         rx
   /usr/libexec         h
   /usr/libexec/gcc/x86_64-pc-linux-gnu/4.8.5/cc1   x
   /usr/share         h
   /usr/share/locale      r
   /usr/src         rwxc
   -CAP_ALL
   bind   disabled
   connect   disabled
}


The policy for user miro has changed with the
Code: Select all
   /usr/share/automake-1.15   r
   /usr/share/gnuconfig   r

lines.

Code: Select all
# Role: miro
subject /bin/cp o {
   /            h
   /Cmn            r
   /Cmn/dLo         rwc
   /Cmn/F*            rwc
   /Cmn/Kaff         rwxcd
   /Cmn/MyVideos         rwxcd
   /Cmn/gX            rwc
   /Cmn/m*            rwc
   /Cmn/naibdX            rwc
   /bin            h
   /bin/cp            x
   /etc            h
   /etc/ld.so.cache      r
   /home            h
   /home/miro      rwxcd
   /lib64            rx
   /lib64/modules         h
   /mnt            h
   /mnt/g?-C         r
   /mnt/g?-C/Kaff      rwxcd
   /mnt/g?-C/MyVideos      rwxcd
   /mnt/g?-C/dLo         rwxcd
   /mnt/g?-C/m*      rwxcd
   /mnt/g?-?1         rwxcd
   /mnt/g?n-C         r
   /mnt/g?n-C/Kaff      rwxcd
   /mnt/g?n-C/MyVideos      rwxcd
   /mnt/g?n-C/dLo         rwxcd
   /mnt/g?n-C/m*      rwxcd
   /mnt/g?n-?1         rwxcd
   /mnt/sd?1         rwcd
   /mnt/sr0         r
   /usr            h
   /usr/lib64/gconv/gconv-modules.cache   r
   /usr/lib64/locale/locale-archive   r
   /usr/local/bin      x
   /usr/share/automake-1.15   r
   /usr/share/gnuconfig   r
   /usr/share/locale      r
   /var            
   /var/www/localhost/htdocs         rwcd
   -CAP_ALL
   bind   disabled
   connect   disabled
}


But I remember I went haywire because it appeared not to work, and the lines were correct!

Here's why. I mistakenly added those lines in the Role: root instead. It couldn't have worked. I also left the root as I changed it:

Code: Select all
# Role: root
subject /bin/cp o {
   /            h
   /Cmn            r
   /Cmn/Kaff         rwxcd
   /Cmn/dLo         rwc
   /Cmn/gX         rwc
   /Cmn/m*         rwc
   /Cmn/naibdX         rwc
   /bin            h
   /bin/cp            x
   /etc            h
   /etc/ld.so.cache      r
   /home            h
   /home/miro         r
   /lib64            rx
   /lib64/modules         h
   /mnt            h
   /mnt/g?-C         r
   /mnt/g?-C/Kaff      rwxcd
   /mnt/g?-C/MyVideos      rwxcd
   /mnt/g?-C/dLo         rwxcd
   /mnt/g?-C/m*      rwxcd
   /mnt/g?-?1         rwxcd
   /mnt/g?n-C         r
   /mnt/g?n-C/Kaff      rwxcd
   /mnt/g?n-C/MyVideos      rwxcd
   /mnt/g?n-C/dLo         rwxcd
   /mnt/g?n-C/m*      rwxcd
   /mnt/g?n-?1         rwxcd
   /mnt/F*         rwc
   /mnt/sde1/rsync.sh      r
   /mnt/sde1/rsync_netcologne.sh   r
   /mnt/sde1/wget.sh      r
   /mnt/sr0         r
   /root            rwcd
   /usr            h
   /usr/lib64         h
   /usr/lib64/gconv/gconv-modules.cache   r
   /usr/lib64/locale/locale-archive   r
   /usr/local         h
   /usr/local/bin      rwx
   /usr/share         h
   /usr/share/automake-1.15   r
   /usr/share/gnuconfig   r
   /usr/share/locale      r
   /usr/src         r
   /var            h
   /var/log         rwc
   -CAP_ALL
   +CAP_CHOWN
   +CAP_DAC_OVERRIDE
   +CAP_FOWNER
   +CAP_FSETID
   bind   disabled
   connect   disabled
}


My recollection goes only so far... But I hope, on the one hand, that others who struggle to apply their policies might find this useful. And also, maybe more advanced users can point to some misconfigurations I made...

# diff grsec_150716_g0n_05 grsec_150716_g0n_06
Code: Select all
4271c4271
<    /usr/share/info/coreutils.info.bz2   r
---
>    /usr/share/info         r


was really long overdue. I couldn't browse info pages really. Now I can:
Code: Select all
# Role: miro
subject /bin/bash o {
   /            
   /Cmn            r
   /Cmn/ls-ABRgo*         rwcdl
   /Cmn/Kaff         rwxcd
   /Cmn/MyVideos         rwxcd
   /Cmn/dLo         rwxcd
   /Cmn/gX            rwxcdl
   /Cmn/m*            rwxcdl
   /export            rwxcd
   /bin            x
   /boot            h
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/null         rw
   /dev/port         h
   /dev/tty         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home/miro         rwxcdl
   /lib/modules         h
   /lib64            rx
   /lib64/modules         h
   /mnt            r
   /mnt/g?-C         r
   /mnt/g?-C/Kaff      rwxcd
   /mnt/g?-C/MyVideos      rwxcd
   /mnt/g?-C/dLo         rwxcd
   /mnt/g?-C/m*      rwxcd
   /mnt/g?-?1         rwxcd
   /mnt/g?n-C         r
   /mnt/g?n-C/Kaff      rwxcd
   /mnt/g?n-C/MyVideos      rwxcd
   /mnt/g?n-C/dLo         rwxcd
   /mnt/g?n-C/m*      rwxcd
   /mnt/g?n-?1         rwxcd
   /mnt/sd?1         rwxcdl
   /mnt/sr0         r
   /proc            h
   /proc/meminfo         r
   /sbin            h
   /sbin/macchanger      
   /sbin/openrc         
   /sbin/xtables-multi      
   /sys            h
   /tmp            rwcd
   /usr            
   /usr/bin         x
   /usr/bin/cvs      x
   /usr/bin/info      x
   /usr/bin/man      x
   /usr/bin/mencoder      x
   /usr/bin/mplayer      x
   /usr/bin/java      rx
   /usr/lib64         rx
   /usr/libexec/git-core   rx
   /usr/libexec/eselect-java/run-java-tool.bash   rx
   /usr/local         
   /usr/local/bin         rwxc
   /usr/sbin         h
   /usr/sbin/sendmail      rx   
   /usr/share         h
   /usr/share/info         r
   /usr/share/cvs/contrib/rcs2log   
   /usr/share/locale      r
   /usr/src         h
   /var            
   /var/log         h
   /var/tmp         rwcd
   /var/www/localhost/htdocs         rwcd
   -CAP_ALL
   bind   disabled
   connect   disabled
   sock_allow_family all
}


This is going to be the last one, before a few policies that I will later search for some exact particular reasons.

I made lots of small changes from grsec_150716_g0n_06 to grsec_150716_g0n_11 (there are 7, 8, 9 and 10 in between), but I'll make it simpler here:

# diff grsec_150716_g0n_06 grsec_150716_g0n_11
Code: Select all
2426a2427
>    /usr/etc            r
2444a2446
>    /usr/etc         r
2999a3002
>    /home/miro/hg      rwc
3004c3007
<    /tmp            w
---
>    /tmp            rw
4603a4607
>    /tmp            rwcdmli
5318a5323
>    /home/miro/hg      rw         
5491a5497
>    /usr/etc            r
5673c5679
<    /tmp            rwcd
---
>    /tmp            rwcdl
5680c5686
<    /usr/share         rwc
---
>    /usr/share         rwcdl
5835c5841
<    /home/miro/hg      rw
---
>    /home/miro/hg      crw
5840c5846
<    /tmp            w
---
>    /tmp            rwc


That's the diff with my current policy, because:

Code: Select all
# diff grsec_150716_g0n_11 /etc/grsec/policy
#

returns an empty string.

I'm a little uneasy with the
Code: Select all
>    /tmp            rwcdmli

but it just kept telling me, let me find it:

Code: Select all
# grep 'unlink' /var/log/messages  | grep denied
Jul 16 11:48:33 gbn kernel: [ 9781.397191] grsec: (miro:U:/bin/rm) denied unlink of /tmp/cgZqmlhe/dummy.c by /bin/rm[rm:26386] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:26385] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 11:48:33 gbn kernel: [ 9781.397246] grsec: (miro:U:/bin/rm) denied unlink of /tmp/cgZqmlhe/dummy.o by /bin/rm[rm:26386] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:26385] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 11:55:43 gbn kernel: [10212.443252] grsec: (miro:U:/bin/rm) denied unlink of /tmp/cgV8tR1R/dummy.c by /bin/rm[rm:30663] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:30662] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 11:55:43 gbn kernel: [10212.443331] grsec: (miro:U:/bin/rm) denied unlink of /tmp/cgV8tR1R/dummy.o by /bin/rm[rm:30663] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:30662] uid/euid:1000/1000 gid/egid:1000/1000


Let me see the rm subject, role miro...
Code: Select all
# Role: miro
subject /bin/rm o {
   /            
   /Cmn            wd
   /bin            h
   /bin/rm            x
   /boot            h
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/port         h
   /etc            h
   /etc/ld.so.cache      r
   /home            h
   /home/miro         wd
   /home/miro/public_html      rwcd
#   /lib/modules         h
   /lib64            h
   /lib64/ld-2.20.so      x
   /lib64/libc-2.20.so      rx
   /mnt            r
   /mnt/sd?1         rwcd
   /mnt/g?-C         r
   /mnt/g?-C/Kaff      rwxcd
   /mnt/g?-C/MyVideos      rwxcd
   /mnt/g?-C/dLo         rwxcd
   /mnt/g?-C/m*      rwxcd
   /mnt/g?-?1         rwxcd
   /mnt/g?n-C/Kaff      rwxcd
   /mnt/g?n-C/MyVideos      rwxcd
   /mnt/g?n-C/dLo         rwxcd
   /mnt/g?n-C/m*      rwxcd
   /mnt/g?n-?1         rwxcd
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /sys            h
   /usr            h
   /usr/lib64/gconv/gconv-modules.cache   r
   /usr/lib64/locale/locale-archive   r
   /usr/share/locale      r
   /tmp            rwcdmli
   /var            h
   /var/www         wd
   /var/www/localhost/htdocs      rwcdl
   -CAP_ALL
   bind   disabled
   connect   disabled
}


Aargh, the subject Mutt now:

Code: Select all
# Role: miro
subject /usr/bin/mutt o {
   /            h
   /bin            h
   /bin/bash         x
   /dev            h
   /dev/log         rw
   /dev/tty         r
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home            
   /home/miro         rwxcdl
   /Cmn/dLo         rwxcdl
   /lib64            rx
   /lib64/modules         h
   /proc            h
   /proc/meminfo         r
   /tmp            rwcdl
   /usr            h
   /usr/etc            r
   /usr/bin         h
   /usr/bin/mutt         x
   /usr/lib64         rx
   /usr/sbin         h
   /usr/sbin/sendmail      x
   /usr/share         h
   /usr/share/locale      r
   -CAP_ALL
   bind   0.0.0.0/32:0 dgram ip
   connect   127.0.0.1/32:143 stream dgram tcp udp
   sock_allow_family ipv6 netlink
}

That:
Code: Select all
   /tmp            rwcdl

I believe was sorely needed too!

Just like, further above, the lynx subject, role miro... Let me show you.

Code: Select all
# Role: miro
subject /usr/bin/lynx o {
   /            
   /Cmn         r
   /Cmn/dLo         wc
   /Cmn/m*            wc
   /Cmn/Kaff         wc
   /bin            h
   /bin/bash         x
   /boot            h
   /dev            h
   /dev/pts         
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/passwd         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home            
   /home/miro         
   /home/miro/hg      rw         
   /home/miro/.mailcap      r
   /lib/modules         h
   /lib64            rx
   /lib64/modules         h
   /proc            
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /run            h
   /run/utmp         r
   /sys            h
   /tmp            rwcd
   /usr            h
   /usr/bin         h
   /usr/bin/lynx         rx
   /usr/lib64         rx
   /usr/share         h
   /usr/share/doc   r
   /usr/share/locale      r
   /var/log         h
   /var/www/localhost/htdocs      r
   -CAP_ALL
   bind   0.0.0.0/32:0 dgram ip
   connect   0.0.0.0/0:80 stream dgram tcp udp
   connect   0.0.0.0/0:443 stream dgram tcp udp
   connect   0.0.0.0/0:53 stream dgram tcp udp
   connect   127.0.0.1/32:8008 stream dgram tcp udp
   connect   127.0.0.1/32:9999 stream dgram tcp udp
   connect   192.168.3.0/24:9999 stream dgram tcp udp
   sock_allow_family unix inet netlink
}


I bet it was this one that was missing:
Code: Select all
   /tmp            rwcd

because

# grep 'lynx' /var/log/messages | grep denied
Code: Select all
Jul 16 08:56:50 gbn kernel: [ 6968.228219] grsec: (miro:U:/usr/bin/lynx) denied open of /home/miro/hg/mutt/doc/manual.html for reading by /usr/bin/lynx[lynx:12260] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:12259] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 10:26:43 gbn kernel: [ 4869.169943] grsec: (miro:U:/usr/bin/lynx) denied open of /home/miro/hg/mutt/doc/manual.html for reading by /usr/bin/lynx[lynx:13264] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:13263] uid/euid:1000/1000 gid/egid:1000/1000
Jul 16 11:34:41 gbn kernel: [ 8949.693924] grsec: (miro:U:/usr/bin/lynx) denied open of /home/miro/hg/mutt/doc/manual.html for reading by /usr/bin/lynx[lynx:19995] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:19994] uid/euid:1000/1000 gid/egid:1000/1000

Look at the dates! That was a matter belonging now to the class of issues that I might be finally getting the grip on. But this wasn't so easy figuring it out in all that the machine constantly talks and whines and grumbles...

And I was finding manual.txt of size zero in my Mutt installs!

I could go and (but I'm really tired) find where it builds Mutt in the build dir, and it says there the process would use lynx to dump the libxslt made manual.html from manual.xml (or to that affect), but it didn't tell it stumbled on any errors!

Really tired. I know these were the most important, the vim needed permissions, special onse, wait... And the /usr/etc needed to be allowed for Mutt...

The Mutt is already posted above. Just look at the line:
Code: Select all
   /usr/etc            r


And vim
Code: Select all
# Role: miro
subject /usr/bin/vim o {
   /            
   /Cmn         r
   /Cmn/ls-ABRgo*         rwcdl
   /Cmn/Kaff         rwcd
   /Cmn/MyVideos      rwcd
   /Cmn/dLo         rwcd
   /Cmn/m*         rwcd
   /Cmn/gX         rwcd
   /home/miro         rwcd
   /bin            h
   /bin/bash         x
   /bin/bzip2         
   /boot            h
   /dev            h
   /dev/null         rw
   /dev/urandom         r
   /etc            rwcd
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /etc/terminfo         
   /etc/terminfo/l/linux      r
   /etc/terminfo/r/rxvt-unicode   r
   /etc/vim         
   /etc/vim/vimrc         r
   /etc/vim/vimrc.local      r
   /home            h
   /home/miro         rwcd
   /lib64            rx
   /lib64/modules         h
   /mnt            r
   /mnt/sd?1         rwcd
   /mnt/g?-C         r
   /mnt/g?-C/Kaff      rwxcd
   /mnt/g?-C/MyVideos      rwxcd
   /mnt/g?-C/dLo         rwxcd
   /mnt/g?-C/m*      rwxcd
   /mnt/g?-?1         rwxcd
   /mnt/g?n-C/Kaff      rwxcd
   /mnt/g?n-C/MyVideos      rwxcd
   /mnt/g?n-C/dLo         rwxcd
   /mnt/g?n-C/m*      rwxcd
   /mnt/g?n-?1         rwxcd
   /proc            h
   /proc/meminfo         r
   /sys            h
   /tmp            rwcdl
   /usr            
   /usr/bin         x
   /usr/lib64         rx
   /usr/local         h
   /usr/local/bin         
   /usr/local/bin/uncenz-kill   rw
   /usr/share         rwcdl
   /usr/src         h
   /var            h
   /var/tmp         rwcd
   /var/www/localhost/htdocs      rwcdl
   -CAP_ALL
   bind   disabled
   connect   disabled
}


Do you see the line:
Code: Select all
   /tmp            rwcdl

I believe that line and the /usr/etc line in Mutt were the last that I added, and after that the toggle header weeding worked, and the manual was shown inside Mutt's own window, with Vim of course (my editor; I know spender uses nano, but Vim is great too).

Re: My Hard Earned RBAC policy for Mutt

PostPosted: Fri Jul 17, 2015 3:00 am
by timbgo
For anyone following the case of Mutt installed from portage and out-of-portage, the question that arises is surely, could it be because of the wrong permission setup in my grsecurity-hardened kernel, id est the RBAC policy setup, that alos my portage-installed Mutt didn't show those headers that need to be toggleable, and are not?

Well, view it and study it for yourself, if there is anyhing in my gradm policies that I need to fix, regarding Mutt from portage:

http://www.croatiafidelis.hr/foss/cap/c ... 5_g0n.webm

and the related files in the subdir:

http://www.croatiafidelis.hr/foss/cap/c ... tage-mutt/

( the signed sum are for the whole dir in its parent directory:
http://www.croatiafidelis.hr/foss/cap/c ... _gen_mutt/ )

Thanks!