-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello again...
I just re-read your original message and am still not entirely sure what
you're trying to do here. If you _want_ to have directories like /boot
and /root hidden from the root role/user via RBAC, then you should
probably hide/suppress ("hs") them in the "subject" section for bash,
which is what is calling `gradm`.
I'm not entirely sure, but you may need to add these flags to the subject
for /sbin/gradm as well as /bin/bash (in root's role).
As far as there being an instance already running, are you perhaps trying
to run gradm in learning mode while the RBAC system is already active?
Hrm...
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Sun, 23 Nov 2008, brant williams wrote:
Date: Sun, 23 Nov 2008 16:38:16 -0600 (CST)
From: brant williams <[EMAIL PROTECTED]>
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Grsecurity: Role flag "G" problem
--[PinePGP]--------------------------------------------------[begin]--
Why would you specify "hs" for /root in the root policy? The "h" flag
will hide that path from the role. You probably want something like:
role root uG
subject / {
/ r
#
# (other filesystem paths and permissions here)
#
/root r
# capabilities, etc, here
-CAP_ALL
bind disabled
connect disabled
}
Replacing the object flag "h" with "hs" will still hide things. ;) In
the same way, changing from "x" to "rx" will still not allow you to write
to the file.
You might want to take a look at this[1] link...
[1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes
Hope that helps...
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Sun, 23 Nov 2008, [EMAIL PROTECTED] wrote:
Date: Sun, 23 Nov 2008 10:48:51 +0100 (CET)
From: [EMAIL PROTECTED]
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Subject: [gentoo-hardened] Grsecurity: Role flag "G" problem
Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some
error messages are logged every time I authenticate myself as root.
"
Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to
hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0,
parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0
"
Role flag "G" is specified for root in order to make this user able to
authenticate using gradm. Some directories - including boot - are hidden.
No matter if I replace "h" to "hs" for role root, these messages still get
logged. If I try to create a policy for gradm, grsec reports, that I've
tried to modify an already existing instance - which is probably included
because Role flag "G", but the exact contents are hidden.
This behavior appeared recently.
Did I miss something?
Any ideas on this are greatly appreciated.
Is it discouraged to authenticate using gradm while logged in as root?
Regards,
Dw.
--
dr T??th Attila, Radiol??gus Szakorvos jel??lt, 06-20-825-8057,
06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962
--[PinePGP]-----------------------------------------------------------
gpg: Signature made Sun Nov 23 16:38:22 2008 CST using DSA key ID 4DEB6002
gpg: Good signature from "brant davin williams (never say anything)
gpg: <[EMAIL PROTECTED]>"
--[PinePGP]----------------------------------------------------[end]--
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEAREIAAYFAkkp3XUACgkQdCBnhE3rYAK4NQCdEFZwLMvkAoZjNhGIgo8HgDgs
xnMAnRhJphRycWvttBsCSJAOyUhsY2Dj
=Wzhk
-----END PGP SIGNATURE-----
