Re: [gentoo-hardened] Grsecurity: Role flag "G" problem

Sun, 23 Nov 2008 14:38:36 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Why would you specify "hs" for /root in the root policy? The "h" flag will hide that path from the role. You probably want something like: 

role root uG
subject / {
        /       r
        #
        # (other filesystem paths and permissions here)
        #
        /root   r
        # capabilities, etc, here
        -CAP_ALL
        bind    disabled
        connect disabled
}
Replacing the object flag "h" with "hs" will still hide things. ;) In the same way, changing from "x" to "rx" will still not allow you to write to the file. 

You might want to take a look at this[1] link...

[1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes

Hope that helps...


brant williams
FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002



On Sun, 23 Nov 2008, [EMAIL PROTECTED] wrote:


Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET)
From: [EMAIL PROTECTED]
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem

Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some
error messages are logged every time I authenticate myself as root.
"
Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to
hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0
"
Role flag "G" is specified for root in order to make this user able to
authenticate using gradm. Some directories - including boot - are hidden.
No matter if I replace "h" to "hs" for role root, these messages still get
logged. If I try to create a policy for gradm, grsec reports, that I've
tried to modify an already existing instance - which is probably included
because Role flag "G", but the exact contents are hidden.
This behavior appeared recently.

Did I miss something?
Any ideas on this are greatly appreciated.

Is it discouraged to authenticate using gradm while logged in as root?

Regards,
Dw.
--
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkkp214ACgkQdCBnhE3rYAL4tQCfVPEcDL7KWf7s6NfdbDJiPcsd
+LkAoIxwNx7o1j4axe4UcvFerOhOLWGI
=AsPO
-----END PGP SIGNATURE-----

Reply via email to