I do not understands GrSecurity's RBAC-System with gradm

[GOS]

Hey guys,

recently I switched to hardened profile and activated GrSecurity's kernel features including Pax. Except some small problems related to python 2.7 my Xfce-desktop works well after exchanging icedtea-java by oracle java.

However, the only remaining feature I did not activated until now is GrSec's RBAC with gradm. This is because I do not really understand how it works (I looked e. g. at GrSec's Wiki-book, Gentoo wiki, Arch wiki and https://forums.gentoo.org/viewtopic-t-8 ... +rbac.html). Some questions for me are

1) Why there are different "roles" for gradm (admin, shutdown, masterpassword). Are the mentioned ones all or are there more "password secured roles" for gradm?
2) Why RBAC is activated with "gradm -E" and disbaled with "gradm -D" and not via a daemon? Is there a standard way to start ist during boot and diable it during shutdown?
3) Does RBAC restict also root? If yes, is there a possibility to get "unrestricted root access"? Is this question related to the "admin role" of gradm?

Hopefully my questions are not to stupid.

Cheers! GOS

PS: Is it (as last resort) possible to exchange GrSec's RBAC by AppArmor or something similar or do one lost here some functionality?

[miroR]

Hey guys,

recently I switched to hardened profile and activated GrSecurity's kernel features including Pax. Except some small problems related to python 2.7 my Xfce-desktop works well after exchanging icedtea-java by oracle java.

What do you mean with "icedtea-java by oracle java"? I'm not completely sure, so, pls. did you got rid of icedtea-java and installed Larry Oracle's java?
If so, is like exchanging a good thing with something very doubtful.

However, the only remaining feature I did not activated until now is GrSec's RBAC with gradm.

Learning gradm took me a lot of time. Just keep up. Because grsec is well worth it. All the wikibook, I'm sure you stumbled upon it, but, OK, I'll find the link:

https://en.wikibooks.org/wiki/Grsecurity

All the wikibook needs to become pretty familiar to you, well, most of it, to successfully deploy grsec.

This is because I do not really understand how it works (I looked e. g. at GrSec's Wiki-book, Gentoo wiki, Arch wiki and https://forums.gentoo.org/viewtopic-t-8 ... +rbac.html).

And esp. the good news by spender (the main developer) at:
RBAC startup and shutdown included in policy?
http://forums.grsecurity.net/viewtopic.php?f=5&t=2248

makes me happy. But, for you...

Some questions for me are

1) Why there are different "roles" for gradm (admin, shutdown, masterpassword). Are the mentioned ones all or are there more "password secured roles" for gradm?
2) Why RBAC is activated with "gradm -E" and disbaled with "gradm -D" and not via a daemon? Is there a standard way to start ist during boot and diable it during shutdown?
3) Does RBAC restict also root? If yes, is there a possibility to get "unrestricted root access"? Is this question related to the "admin role" of gradm?

[But, for you...], I must repeat: study the wikibook linked above.

Then you will figure out yourself that the answers are:

2) No starting grsec with init services. Not recommended. I think it's in the /etc/grsec/learn_config, where it used to read (and does in my install):

# comment them out if you are starting learning before services are started by init
# (a highly non-recommended choice)

But actually you speak of activating it when the learning has already been done. No, I don't know of such a method.

3) Yes, RBAC restricts also root. No. Use the admin role for that.

But, again, study the wikibook linked above. Then you will figure it all out yourself.

Hopefully my questions are not to stupid.

No, not stupid. But, you see, you get NSA-Linux, erhm, I meant SELinux for newbies to install and use foolproof, but, sadly, there is too little dev power in marvelous programs like grsecurity...

Regardless of that, I can tell that grsecurity does really good job on my system, and any advanced user (lots of people in Gentoo use it), will tell you that.

Cheers! GOS

PS: Is it (as last resort) possible to exchange GrSec's RBAC by AppArmor or something similar or do one lost here some functionality?

No, not possible, AFAICT. But anyway, going for any other hardening than grsecurity is like ditching gold for junk.

Regards!

[GOS]

Thanks for your answer. I downloaded the GrSec-Wiki documentation as pdf and relaized that there is some more stuff to read. I think I god it now.

About java:

Until now I used icedtea-bin for java 1.7, but this leads to failures related to PaX. For example Libreoffice-base cannot connect to the java engine, because pax prevents this. With oracles jdk this is different, because oracles pax flags are set correctly by default.

Because only Oracle provides java 1.8 one oracle engine is already installed and so I decided to exchange the icedtea-7 engine in favor of oracles 1.7 engine and now everything works.

Thanks again.

[miroR]

Thanks for your answer. I downloaded the GrSec-Wiki documentation as pdf and relaized that there is some more stuff to read. I think I god it now.

About java:

Until now I used icedtea-bin for java 1.7, but this leads to failures related to PaX. For example Libreoffice-base cannot connect to the java engine, because pax prevents this. With oracles jdk this is different, because oracles pax flags are set correctly by default.

Because only Oracle provides java 1.8 one oracle engine is already installed and so I decided to exchange the icedtea-7 engine in favor of oracles 1.7 engine and now everything works.

Thanks again.

You are most welcome. (and sorry I've been off all this time).

I can't find it now, short on time, but there is a tip by someone on Java.

It must be possible to get the good Java, which is Icedtee, installed, and to remove the bad Java, the Larry Oraclle's own Java(now, just like MySQL, and other formely true, and not just nominally so Free Open Source Software programs)....

Search the Forums by icedtee and java. Must be easy to find...

Regards!

[miroR]

About java:

Until now I used icedtea-bin for java 1.7, but this leads to failures related to PaX. For example Libreoffice-base cannot connect to the java engine, because pax prevents this.

I have both Libreoffice and Icedtea installed, and have no issues with pax working out-of-the-box with them.

With oracles jdk this is different, because oracles pax flags are set correctly by default.

Because only Oracle provides java 1.8 one oracle engine is already installed and so I decided to exchange the icedtea-7 engine in favor of oracles 1.7 engine and now everything works.

I searched for it and found the tip (that I mention in my just previous post in this topic):

How to avoid Oracle's JAVA
https://forums.gentoo.org/viewtopic-t-1015568.html

I frankly don't even remember more about it right away, just that it was a really useful tip, and help me get rid of the Oracle Java.

(and info is always there for other users to help them in their quests, if GOS should happen to not be around to read here (soon).

Regards!

[miroR]

BTW, GOS, you don't have to mark this topic as [SOLVED]. The gradm is by far the hardest thing, if not the only hard thing to do, for newbies, with grsecurity. There will be other newbies coming to read here.

And, important thing for newbies to know:

grsecurity foxes most of the holes in the kernel anyway (some of them something like deliberately set in, such as hooks in the kernel you can read about in my signature), via its patching the kernel.

That means even if you don't deploy gradm numerous holes in the kernel wll anyway be closed....

Just not all... The remaining ones are closed with gradm.

So: it's worth installing grsecurity even without deploying gradm, and slowly learn to deploy it. It took me quite a few weekends to learn to deploy it and learn to use it, sparsed over quite a number of months.

( And in the meantime, I had got a huge following, because grsecurity is very much in demand by the thinking newbies, in my tip on Debian Forums:

Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php?f=16&t=108616
)

Regards!

[GOS]

Thanks a lot.

I will try to get rid of Oracle's Java.

Additionally I tackle the RBAC/gradm thing in near future, but at the moment I test if the rest of my system works good with the rest of GrSec's features, until there are no remaining problems.

At the moment the only thing I have issues with is VirtualBox

Best regards
GOS

PS: If someone is using Maxima / wxMaxima: At the moment it does not work with the stable sbcl (1.1.18). But with the testing version (1.2.16) everything is fixed ;-)

[krinn]

BTW, GOS, you don't have to mark this topic as [SOLVED]. The gradm is by far the hardest thing, if not the only hard thing to do, for newbies, with grsecurity. There will be other newbies coming to read here.

Bad one miroR, if anyone search for something, they are not seeking to see how other are having problem and have no way to solve it.
They are seeking how other have similar problem as them, and they have found a solve for it

So if you want help someone, search for topics without solved.
And if you want help yourself, search for topics with solved.

The solved is just a text, it doesn't filter out answer from the search engine, making a topic solved have no issue with the search itself, but should help your newbies to comes here to get a real answer to their problem.

[miroR]

BTW, GOS, you don't have to mark this topic as [SOLVED]. The gradm is by far the hardest thing, if not the only hard thing to do, for newbies, with grsecurity. There will be other newbies coming to read here.

Bad one miroR, if anyone search for something, they are not seeking to see how other are having problem and have no way to solve it.
...

No, you're not right, as often you have not been, when we met here.

IMO, this should stand without the mark SOLVED, because it is a typical issue with grsecurity.

And the title of the topic will continue to be inviting to newbies, and offering easy reference because it is, as I explained, the one, if not the only, really hard thing for newbies to accomplish, when they want to deploy the best security for FOSS Linux there is: the grsecurity.

Pls. leave it there, you opinion has been read.

And if anyone intends to discuss the [SOLVED]-to-add-in-the-title advice, or [SOLVED]-not-to-add-in-the-title advice, then the place to do it is not anymore here, but please do open a separate topic. I'll contribute to it, when I find time, I promise.

I won't reply here if anyone wishes to go on on that side issue which would be a very typical bikeshed issue.

My last advice, should that happen, is, pls. newbies take good notice that you can easily install grsecurity, and learn gradm in slow time, it's worth it, just as I explained in my previous post to this. Remember that.

Thank you!

[miroR]

I just linked to this topic from:

Tips on Grsecurity installation for Gentoo newbies
http://forums.grsecurity.net/viewtopic. ... 699#p15699

The tone of that post is to this tune:

Anyway, I thought that newbies need to not (kind of) fear installing grsecurity...

And newbies can find just a tiny little more there too (some new emphases).

Regards!

[miroR]

Important, in my view, for newbies to know, is some of the information that can be find here.

NSA SELinux Support???
https://forums.gentoo.org/viewtopic-t-984066.html

Also important, but sad, and I hope, just a passing crippling state, that could affect some users of grsecurity, and I am telling you, kind readers who are seeking information like GOS, because I always do my best to not hide important information...

Also important is to know the current trouble the grsecurity is passing (I hope it will go for the better):

grsecurity withdrew support for stable; who did it to them?
https://forums.gentoo.org/viewtopic-t-1031476.html

The thing about FOSS Linux is, if grsecurity should fail in some way to be available for FOSS Linux users, the security in FOSS Linux for non-expert users would be very very hard to achieve. I am talking about true security, defence from surveillance, true privacy, true freedom of movement on the internet.

Regards!

[GOS]

I would thank you again!!! There were a bunch of useful informations for me.

At the moment I am on the way to are hardened system. I think it is not the easiest thing, but it is worth the effort.

Additionally I noticed this Quickstart Guide in the forum "https://forums.gentoo.org/viewtopic-t-8 ... rting.html". Therefore one further question: Adding gradm -E to startup seems to be easy, but whats about shutdown. Should one take care about with something like executing gradm -D at shutdown. What is in this case with the gradm -D password?

Regards
GOS

[miroR]

I would thank you again!!! There were a bunch of useful informations for me.

At the moment I am on the way to are hardened system. I think it is not the easiest thing, but it is worth the effort.

Additionally I noticed this Quickstart Guide in the forum "https://forums.gentoo.org/viewtopic-t-8 ... rting.html". Therefore one further question: Adding gradm -E to startup seems to be easy, but whats about shutdown. Should one take care about with something like executing gradm -D at shutdown. What is in this case with the gradm -D password?

Regards
GOS

Ouch, let me apologize again for not seeing your question. I'm very slow at work, and often overwhelmed with what I want to do.

Allow me to give you just my honest admission that, while I have seen somewhere [*], spender announcing this issue solved, in the sense that issuing:

Code: Select all

# gradm -D

before shutdown/restart is not anymore needed (since some recent grsec version), I haven't applied the solution to that issue yet for myself.

The "solution" (which you also mention) is what I still apply: I disable grsecurity and only then do I issue either, say:

Code: Select all

# shotdown -h 0

or if I need to restart the system (maybe for dual boot or other), then, say:

Code: Select all

# shotdown -r 0

And allow me to thank you! I'm not very advanced. The "feathers" of leet is because of the number of posts, it's automatic, not by merit. But I did get some appreciation, and some flak, often for the same ideas, the appreciation and the flak, by some and by some other users, in the past and currently. In the past on dbus and poetterware removal and why, on Air-Gapped, and on grsecurity, and on censorship, as I'm pretty strong on trying to tell users about surveillance and what is good for privacy... And currently I have a little hard time as well... [**]
---
[*] You can read:

Hi, good news! I've just finished writing up a feature that should prevent shutdown/reboot from being a hassle in RBAC.

(but only now I see that tip is years old) and it actually links from the HOWTO: Grsecurity quickstarting RBAC roles for Gentoo (x86) by schmeggahead.

[**] Just the latest link, with the flac, and very little defence for me:
Undecipherable posts and a call for moderator action
https://forums.gentoo.org/viewtopic-t-1032278.html

The "Air-Gapped Gentoo Install, Tentative" "Uninstalling dbus and *kits (to Unfacilitate Remote Seats)" should be findable by the topic title.