I run learning while RBAC is disabled. So without gradm -E. I'm not sure what's wrong with your setup, but learning mode does not require the RBAC to be active. -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057
2014.Február 23.(V) 10:20 időpontban John Tate ezt írta: > How does it learn about the gradm -E before I've ran it. Running it > kills the system, whereupon there is no /etc/grsec to write any rules > to. I've thought of this, and it doesn't work. > > On Tue, Feb 18, 2014 at 10:06 PM, "Tóth Attila" <[email protected]> > wrote: >> Just give gradm learning a try without a prior gradm -E. >> After you can generate an initial set of rules for your policy, you can >> start fine-tuning it for some specific applications. >> -- >> dr Tóth Attila, Radiológus, 06-20-825-8057 >> Attila Toth MD, Radiologist, +36-20-825-8057 >> >> 2014.Február 17.(H) 23:26 időpontban John Tate ezt írta: >>> BTW, I was supposed to delete the first two lines of that email. >>> >>> On Tue, Feb 18, 2014 at 9:25 AM, John Tate <[email protected]> wrote: >>>> What should that stuff be so gradm works. I tried add >>>> >>>> Also the wiki instructs me to issue gradm -E before putting it in >>>> learning mode. >>>> >>>> I've tried adding some lines to the admin role myself but the same >>>> problem occurs, and gradm can no longer find /dev/grsec.. >>>> >>>> role admin sA >>>> subject / rvka >>>> / rwcdmlxi >>>> subject /sbin/gradm >>>> /etc/grsec rwx >>>> /dev/grsec rw >>>> +CAP_DAC_OVERRIDE >>>> >>>> It would be good if you could just help me get started by giving >>>> enough so that gradm -D will work so I can still work on the system >>>> without a reboot. At this point it is tedious. >>>> >>>> Also either the Wiki page is out of date and the advise no longer >>>> works, or the problem is actually some kernel option I've enabled: >>>> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart >>>> >>>> >>>> On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <[email protected]> >>>> wrote: >>>>> I think you should not issue gradm -E before activating learning >>>>> mode. >>>>> Also make sure to populate your policy with at least some default >>>>> stuff >>>>> for the admin role before enabling it. The example policy file gives >>>>> a >>>>> starting point. >>>>> -- >>>>> dr Tóth Attila, Radiológus, 06-20-825-8057 >>>>> Attila Toth MD, Radiologist, +36-20-825-8057 >>>>> >>>>> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta: >>>>>> I am new to grsecurity I am having a problem when I enable RBAC, >>>>>> where >>>>>> grsecurity denies gradm and certain directories such as /etc/grsec >>>>>> are >>>>>> inaccessible, and even /dev/grsec. >>>>>> >>>>>> gentoo ~ # gradm -E >>>>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log >>>>>> Could not open /dev/grsec. >>>>>> open: Permission denied >>>>>> >>>>>> /var/log/messages contains this... >>>>>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From >>>>>> 192.168.0.3: >>>>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for >>>>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent >>>>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0 >>>>>> >>>>>> CONFIG_GRKERNSEC=y >>>>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set >>>>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y >>>>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101 >>>>>> CONFIG_GRKERNSEC_KMEM=y >>>>>> CONFIG_GRKERNSEC_IO=y >>>>>> CONFIG_GRKERNSEC_PERF_HARDEN=y >>>>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y >>>>>> CONFIG_GRKERNSEC_PROC_MEMMAP=y >>>>>> CONFIG_GRKERNSEC_BRUTE=y >>>>>> CONFIG_GRKERNSEC_MODHARDEN=y >>>>>> CONFIG_GRKERNSEC_HIDESYM=y >>>>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y >>>>>> # CONFIG_GRKERNSEC_NO_RBAC is not set >>>>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y >>>>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3 >>>>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60 >>>>>> CONFIG_GRKERNSEC_PROC=y >>>>>> CONFIG_GRKERNSEC_PROC_USER=y >>>>>> CONFIG_GRKERNSEC_PROC_ADD=y >>>>>> CONFIG_GRKERNSEC_LINK=y >>>>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set >>>>>> CONFIG_GRKERNSEC_FIFO=y >>>>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y >>>>>> # CONFIG_GRKERNSEC_ROFS is not set >>>>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y >>>>>> CONFIG_GRKERNSEC_CHROOT=y >>>>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y >>>>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y >>>>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y >>>>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y >>>>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y >>>>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y >>>>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y >>>>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y >>>>>> CONFIG_GRKERNSEC_CHROOT_UNIX=y >>>>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y >>>>>> CONFIG_GRKERNSEC_CHROOT_NICE=y >>>>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y >>>>>> CONFIG_GRKERNSEC_CHROOT_CAPS=y >>>>>> CONFIG_GRKERNSEC_AUDIT_GROUP=y >>>>>> CONFIG_GRKERNSEC_AUDIT_GID=100 >>>>>> CONFIG_GRKERNSEC_EXECLOG=y >>>>>> CONFIG_GRKERNSEC_RESLOG=y >>>>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y >>>>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y >>>>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y >>>>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y >>>>>> CONFIG_GRKERNSEC_SIGNAL=y >>>>>> CONFIG_GRKERNSEC_FORKFAIL=y >>>>>> CONFIG_GRKERNSEC_TIME=y >>>>>> CONFIG_GRKERNSEC_PROC_IPADDR=y >>>>>> CONFIG_GRKERNSEC_RWXMAP_LOG=y >>>>>> CONFIG_GRKERNSEC_DMESG=y >>>>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y >>>>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y >>>>>> # CONFIG_GRKERNSEC_SETXID is not set >>>>>> CONFIG_GRKERNSEC_TPE=y >>>>>> CONFIG_GRKERNSEC_TPE_ALL=y >>>>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set >>>>>> CONFIG_GRKERNSEC_TPE_GID=101 >>>>>> CONFIG_GRKERNSEC_RANDNET=y >>>>>> CONFIG_GRKERNSEC_BLACKHOLE=y >>>>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y >>>>>> # CONFIG_GRKERNSEC_SOCKET is not set >>>>>> # CONFIG_GRKERNSEC_DENYUSB is not set >>>>>> CONFIG_GRKERNSEC_SYSCTL=y >>>>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set >>>>>> CONFIG_GRKERNSEC_SYSCTL_ON=y >>>>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set >>>>>> CONFIG_GRKERNSEC_FLOODTIME=10 >>>>>> CONFIG_GRKERNSEC_FLOODBURST=6 >>>>>> >>>>>> Help would really be appreciated to get this working, because I'm >>>>>> quite new to this and I have no idea what I've missed. >>>>>> >>>>>> -- >>>>>> www.johntate.org >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> www.johntate.org >>> >>> >>> >>> -- >>> www.johntate.org >>> >>> >> >> >> > > > > -- > www.johntate.org > >
