Package: linux-grsec-base
Version: 5
Severity: normal
Tags: newcomer
Dear Maintainer,
Been playing with the grsec kernel that recently landed in sid (linux-
image-4.3.0-1-grsec-amd64). One issue I discovered is that the RBAC is
disabled in the kernel configuration.
This also means that the gradm utility (a package recommended by
linux-grsec-base, also in the repos as 'gradm2') is unusable, since the
/dev/grsec device is not exposed:
# gradm -P admin
Could not open /dev/grsec.
open: No such file or directory
The grsecurity RBAC (role-based access control)
<https://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System> is pretty
powerful and has some aspects that make it a superior solution to
AppArmor, SELINUX, etc. in this writer's humble opinion.
I think there is no harm at all in leaving it enabled so that users can
take advantage of it if they wish.
This can be solved by removing the following line (6916) from the kernel
configuration, and rebuilding:
CONFIG_GRKERNSEC_NO_RBAC=y
-- System Information:
Debian Release: stretch/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.3.0-1-grsec-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
linux-grsec-base depends on no packages.
Versions of packages linux-grsec-base recommends:
ii gradm2 3.1~201507191652-1
ii pax-utils 1.1.4-1
ii paxctl 0.9-1
linux-grsec-base suggests no packages.
-- Configuration Files:
/etc/sysctl.d/grsec.conf changed [not included]
-- no debconf information
--
Twitter: @ageis
XMPP: [email protected]
OTR: 40BDF095 F9968FB2 9E576C9B CFFCAE2E 3740EE04
GPG: 0xB604C32AD5D7C6D8
(415)-767-5566 ext. 13