I think you should not issue gradm -E before activating learning mode. Also make sure to populate your policy with at least some default stuff for the admin role before enabling it. The example policy file gives a starting point. -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057
2014.Február 17.(H) 20:29 időpontban John Tate ezt írta: > I am new to grsecurity I am having a problem when I enable RBAC, where > grsecurity denies gradm and certain directories such as /etc/grsec are > inaccessible, and even /dev/grsec. > > gentoo ~ # gradm -E > gentoo ~ # gradm -F -L /etc/grsec/learning.log > Could not open /dev/grsec. > open: Permission denied > > /var/log/messages contains this... > Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3: > (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for > /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent > /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0 > > CONFIG_GRKERNSEC=y > # CONFIG_GRKERNSEC_CONFIG_AUTO is not set > CONFIG_GRKERNSEC_CONFIG_CUSTOM=y > CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101 > CONFIG_GRKERNSEC_KMEM=y > CONFIG_GRKERNSEC_IO=y > CONFIG_GRKERNSEC_PERF_HARDEN=y > CONFIG_GRKERNSEC_RAND_THREADSTACK=y > CONFIG_GRKERNSEC_PROC_MEMMAP=y > CONFIG_GRKERNSEC_BRUTE=y > CONFIG_GRKERNSEC_MODHARDEN=y > CONFIG_GRKERNSEC_HIDESYM=y > CONFIG_GRKERNSEC_KERN_LOCKOUT=y > # CONFIG_GRKERNSEC_NO_RBAC is not set > CONFIG_GRKERNSEC_ACL_HIDEKERN=y > CONFIG_GRKERNSEC_ACL_MAXTRIES=3 > CONFIG_GRKERNSEC_ACL_TIMEOUT=60 > CONFIG_GRKERNSEC_PROC=y > CONFIG_GRKERNSEC_PROC_USER=y > CONFIG_GRKERNSEC_PROC_ADD=y > CONFIG_GRKERNSEC_LINK=y > # CONFIG_GRKERNSEC_SYMLINKOWN is not set > CONFIG_GRKERNSEC_FIFO=y > CONFIG_GRKERNSEC_SYSFS_RESTRICT=y > # CONFIG_GRKERNSEC_ROFS is not set > CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y > CONFIG_GRKERNSEC_CHROOT=y > CONFIG_GRKERNSEC_CHROOT_MOUNT=y > CONFIG_GRKERNSEC_CHROOT_DOUBLE=y > CONFIG_GRKERNSEC_CHROOT_PIVOT=y > CONFIG_GRKERNSEC_CHROOT_CHDIR=y > CONFIG_GRKERNSEC_CHROOT_CHMOD=y > CONFIG_GRKERNSEC_CHROOT_FCHDIR=y > CONFIG_GRKERNSEC_CHROOT_MKNOD=y > CONFIG_GRKERNSEC_CHROOT_SHMAT=y > CONFIG_GRKERNSEC_CHROOT_UNIX=y > CONFIG_GRKERNSEC_CHROOT_FINDTASK=y > CONFIG_GRKERNSEC_CHROOT_NICE=y > CONFIG_GRKERNSEC_CHROOT_SYSCTL=y > CONFIG_GRKERNSEC_CHROOT_CAPS=y > CONFIG_GRKERNSEC_AUDIT_GROUP=y > CONFIG_GRKERNSEC_AUDIT_GID=100 > CONFIG_GRKERNSEC_EXECLOG=y > CONFIG_GRKERNSEC_RESLOG=y > CONFIG_GRKERNSEC_CHROOT_EXECLOG=y > CONFIG_GRKERNSEC_AUDIT_PTRACE=y > CONFIG_GRKERNSEC_AUDIT_CHDIR=y > CONFIG_GRKERNSEC_AUDIT_MOUNT=y > CONFIG_GRKERNSEC_SIGNAL=y > CONFIG_GRKERNSEC_FORKFAIL=y > CONFIG_GRKERNSEC_TIME=y > CONFIG_GRKERNSEC_PROC_IPADDR=y > CONFIG_GRKERNSEC_RWXMAP_LOG=y > CONFIG_GRKERNSEC_DMESG=y > CONFIG_GRKERNSEC_HARDEN_PTRACE=y > CONFIG_GRKERNSEC_PTRACE_READEXEC=y > # CONFIG_GRKERNSEC_SETXID is not set > CONFIG_GRKERNSEC_TPE=y > CONFIG_GRKERNSEC_TPE_ALL=y > # CONFIG_GRKERNSEC_TPE_INVERT is not set > CONFIG_GRKERNSEC_TPE_GID=101 > CONFIG_GRKERNSEC_RANDNET=y > CONFIG_GRKERNSEC_BLACKHOLE=y > CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y > # CONFIG_GRKERNSEC_SOCKET is not set > # CONFIG_GRKERNSEC_DENYUSB is not set > CONFIG_GRKERNSEC_SYSCTL=y > # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set > CONFIG_GRKERNSEC_SYSCTL_ON=y > # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set > CONFIG_GRKERNSEC_FLOODTIME=10 > CONFIG_GRKERNSEC_FLOODBURST=6 > > Help would really be appreciated to get this working, because I'm > quite new to this and I have no idea what I've missed. > > -- > www.johntate.org >
