View previous topic :: View next topic |
Author |
Message |
bedtime n00b
Joined: 19 Dec 2012 Posts: 71
|
Posted: Wed Jun 07, 2017 11:44 am Post subject: [SOLVED] grsecurity: Warning: permission for symlink... |
|
|
Upon activating RBAC I get:
Code: | tux grsec # gradm -E
Warning: permission for symlink /proc/self in role andre, subject / does not match that of its matching target object /proc. Symlink is specified on line 82 of /etc/grsec/policy. |
The system seems to work with RBAC enabled; it blocks applications that I did not use in the 'learning mode' phase, but I would like to fix that error because something under the hood is likely to be off.
Here is /etc/grsec/policy (line 82 is tabbed with several 'x' characters for you to see it more easily; it does not have those 'x' characters in the orginal file):
Code: |
# policy generated from full system learning
define grsec_denied {
/boot h
/dev/grsec h
/dev/kmem h
/dev/mem h
/dev/port h
/etc/grsec h
/proc/kcore h
/proc/slabinfo h
/proc/modules h
/proc/kallsyms h
/lib/modules hs
/lib64/modules hs
/etc/ssh h
}
role admin sA
subject / rvka
/ rwcdmlxi
role shutdown sARG
subject / rvka
/
/dev
/dev/urandom r
/dev/random r
/etc r
/bin rx
/sbin rx
/lib rx
/lib64 rx
/usr rx
/proc r
$grsec_denied
-CAP_ALL
connect disabled
bind disabled
role default
subject /
/ h
-CAP_ALL
connect disabled
bind disabled
role andre u
role_allow_ip 0.0.0.0/32
# Role: andre
subject / {
/
/boot h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null r
/dev/port h
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home
/home/andre rwcd
/lib/modules h
/lib64 rx
/lib64/modules h
/proc rw
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /proc/self xxxxxxxxxxxxxxxxxxxxxxxx
/proc/slabinfo h
/proc/sys h
/run
/sys h
/usr h
/usr/bin rx
/usr/lib64 rx
/usr/libexec h
/usr/libexec/gvfsd-metadata x
/usr/libexec/gvfsd-trash x
/usr/local
/usr/share r
/var
/var/backups h
/var/cache h
/var/cache/fontconfig r
/var/log h
-CAP_ALL
bind disabled
connect disabled
}
# Role: andre
subject /usr/bin/Xorg o {
/ h
/home/andre/.serverauth.6431
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
-CAP_ALL
+CAP_IPC_OWNER
+CAP_SYS_ADMIN
bind disabled
connect disabled
}
# Role: andre
subject /usr/bin/qemu-system-x86_64 o {
/ h
/etc/resolv.conf r
-CAP_ALL
bind 0.0.0.0/32:0 dgram ip
connect 24.226.16.122/32:80 stream tcp
connect 192.168.0.1/32:53 dgram udp
}
# Role: andre
subject /usr/lib64/firefox/firefox o {
/
/boot h
/dev h
/dev/dri
/dev/dri/card0 rw
/dev/null w
/dev/sda4
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home
/home/andre r
/home/andre/.cache rwcd
/home/andre/.config
/home/andre/.config/dconf/user r
/home/andre/.config/gtk-3.0/settings.ini r
/home/andre/.config/mimeapps.list r
/home/andre/.fontconfig h
/home/andre/.fontconfig/477ff6b974c3c1b81af411ebecb34280-le64.cache-4 r
/home/andre/.fontconfig/99f7fb20887fa21bf61249bf6299a9fd-le64.cache-4 r
/home/andre/.fonts
/home/andre/.fonts/Xolonium-Regular.ttf r
"/home/andre/.fonts/atari full.ttf" r
/home/andre/.fonts/tahoma_bold.ttf r
/home/andre/.local h
/home/andre/.local/share
/home/andre/.mozilla r
/home/andre/.mozilla/firefox r
/home/andre/.mozilla/firefox/bwk9ujuj.default rwcd
/lib/modules h
/lib64 rx
/lib64/modules h
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/run
/run/user
/run/user/1000
/run/user/1000/dconf
/run/user/1000/dconf/user rw
/sys h
/sys/devices/system/cpu/online r
/sys/devices/system/cpu/present r
/tmp wcd
/usr
/usr/bin
/usr/lib64 rx
/usr/local
/usr/share r
/usr/src h
/var
/var/backups h
/var/cache h
/var/cache/fontconfig r
/var/log h
-CAP_ALL
bind 0.0.0.0/32:0 dgram ip
connect 0.0.0.0/0:0 stream dgram tcp udp
connect 0.0.0.0/0:443 stream dgram tcp udp
connect 0.0.0.0/0:80 stream dgram tcp udp
connect 0.0.0.0/0:53 stream dgram tcp udp
sock_allow_family ipv6 netlink
}
# Role: andre
subject /usr/lib64/thunderbird/thunderbird o {
/
/boot h
/dev h
/dev/dri
/dev/dri/card0 rw
/dev/null w
/dev/sda4
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/home
/home/andre r
/home/andre/.cache rw
/home/andre/.config h
/home/andre/.config/dconf/user r
/home/andre/.fontconfig h
/home/andre/.fontconfig/99f7fb20887fa21bf61249bf6299a9fd-le64.cache-4 r
/home/andre/.fonts
"/home/andre/.fonts/atari full.ttf" r
/home/andre/.local h
/home/andre/.local/share/icons
/home/andre/.mozilla h
/home/andre/.mozilla/extensions
/home/andre/.thunderbird r
/home/andre/.thunderbird/8v267q25.default rwcd
/home/andre/.thunderbird/8v267q25.default/extensions
/home/andre/documents rw
/lib/modules h
/lib64 rx
/lib64/modules h
/proc r
/proc/bus h
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys h
/run
/run/user
/run/user/1000
/run/user/1000/dconf
/run/user/1000/dconf/user rw
/sys h
/sys/devices/system/cpu/online r
/sys/devices/system/cpu/present r
/usr
/usr/bin
/usr/lib64 rx
/usr/local
/usr/share r
/usr/src h
/var
/var/backups h
/var/cache h
/var/cache/fontconfig r
/var/log h
-CAP_ALL
bind 0.0.0.0/32:0 dgram ip
connect 24.226.16.121/32:0 dgram udp
connect 24.226.16.125/32:0 stream dgram tcp udp
connect 24.226.16.125/32:80 stream dgram tcp udp
connect 82.94.249.234/32:993 stream tcp
connect 192.168.0.1/32:53 dgram udp
sock_allow_family ipv6 netlink
}
role root uG
role_transitions admin shutdown
role_allow_ip 0.0.0.0/32
# Role: root
subject / {
/ h
/dev/initctl
/sbin/gradm x
-CAP_ALL
bind disabled
connect disabled
}
|
Any ideas? I am new to grsecurity.
[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]
Last edited by bedtime on Tue Jun 13, 2017 5:58 pm; edited 1 time in total |
|
Back to top |
|
|
bedtime n00b
Joined: 19 Dec 2012 Posts: 71
|
Posted: Wed Jun 07, 2017 9:00 pm Post subject: |
|
|
I changed line 82 of /etc/grsec/policy from,
to,
... and now there is no error, but this is not an acceptable solution, as I have no idea why this has happened or what the consequences of changing that setting are. Also, just commenting out line 82 seems to work with no error,
Here are the permissions for /proc/self:
Code: | # ls -l /proc/self
lrwxrwxrwx 1 root root 0 Jun 7 16:41 /proc/self -> 3746 |
Do I match the permissions according to the symlink or according to the file (/etc/grsec/policy), or am I way off on both accounts? |
|
Back to top |
|
|
bedtime n00b
Joined: 19 Dec 2012 Posts: 71
|
Posted: Tue Jun 13, 2017 5:57 pm Post subject: |
|
|
Found a solution that works for me. It involves deleting a few files first and then activiting the learning process. I'm not at all sure why this works, but it does.
As this is a tedious process to do each time, I have made a very amature script to simplify the process. I post it for my own future reference and for anyone who happens to find themselves in the same situation as myself:
Code: | #!/bin/bash
# Clear the screen to make it more readible
clear
# Disable grsecurity if needed
#echo
#echo "Enter your password to disable grsecurity:"
#echo
#gradm -D
# Comment out if you would like to add on to your last policy
echo
echo "Deleting old learning.log and policy..."
rm /etc/grsec/learning.log
rm /etc/grsec/policy
echo "Starting Learning mode..."
echo
gradm -F -L /etc/grsec/learning.log
# Wait until any key is pressed to continue
echo
echo "***************************************************************************"
echo "* *"
echo "* L E A R N I N G M O D E H A S S T A R T E D ! *"
echo "* *"
echo "* ... *"
echo "* *"
echo "* To STOP learning mode press any key and then enter password. *"
echo "* *"
echo "***************************************************************************"
echo
read -p "" -n1 -s
# Disable protection (to stop the learning process)
echo "Stopping learning mode..."
gradm -D
echo
echo "Arranging files..."
gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.roles
mv /etc/grsec/learning.roles /etc/grsec/policy
chmod 0600 /etc/grsec/policy
echo
echo "Activating protection..."
echo
echo "Enter 'gradm -D' to stop protection."
gradm -E
echo
|
Save the above as 'learn' and give it root read/write/executable permissions:
Run it:
As you can see, this script is not very advanced, and it has no error catching, but it works for me. I may update it as I learn more about scripting if there is interest. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|