BTW, I was supposed to delete the first two lines of that email. On Tue, Feb 18, 2014 at 9:25 AM, John Tate <j...@johntate.org> wrote: > What should that stuff be so gradm works. I tried add > > Also the wiki instructs me to issue gradm -E before putting it in learning > mode. > > I've tried adding some lines to the admin role myself but the same > problem occurs, and gradm can no longer find /dev/grsec.. > > role admin sA > subject / rvka > / rwcdmlxi > subject /sbin/gradm > /etc/grsec rwx > /dev/grsec rw > +CAP_DAC_OVERRIDE > > It would be good if you could just help me get started by giving > enough so that gradm -D will work so I can still work on the system > without a reboot. At this point it is tedious. > > Also either the Wiki page is out of date and the advise no longer > works, or the problem is actually some kernel option I've enabled: > https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart > > > On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <at...@atoth.sote.hu> wrote: >> I think you should not issue gradm -E before activating learning mode. >> Also make sure to populate your policy with at least some default stuff >> for the admin role before enabling it. The example policy file gives a >> starting point. >> -- >> dr Tóth Attila, Radiológus, 06-20-825-8057 >> Attila Toth MD, Radiologist, +36-20-825-8057 >> >> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta: >>> I am new to grsecurity I am having a problem when I enable RBAC, where >>> grsecurity denies gradm and certain directories such as /etc/grsec are >>> inaccessible, and even /dev/grsec. >>> >>> gentoo ~ # gradm -E >>> gentoo ~ # gradm -F -L /etc/grsec/learning.log >>> Could not open /dev/grsec. >>> open: Permission denied >>> >>> /var/log/messages contains this... >>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3: >>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for >>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent >>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0 >>> >>> CONFIG_GRKERNSEC=y >>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set >>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y >>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101 >>> CONFIG_GRKERNSEC_KMEM=y >>> CONFIG_GRKERNSEC_IO=y >>> CONFIG_GRKERNSEC_PERF_HARDEN=y >>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y >>> CONFIG_GRKERNSEC_PROC_MEMMAP=y >>> CONFIG_GRKERNSEC_BRUTE=y >>> CONFIG_GRKERNSEC_MODHARDEN=y >>> CONFIG_GRKERNSEC_HIDESYM=y >>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y >>> # CONFIG_GRKERNSEC_NO_RBAC is not set >>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y >>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3 >>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60 >>> CONFIG_GRKERNSEC_PROC=y >>> CONFIG_GRKERNSEC_PROC_USER=y >>> CONFIG_GRKERNSEC_PROC_ADD=y >>> CONFIG_GRKERNSEC_LINK=y >>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set >>> CONFIG_GRKERNSEC_FIFO=y >>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y >>> # CONFIG_GRKERNSEC_ROFS is not set >>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y >>> CONFIG_GRKERNSEC_CHROOT=y >>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y >>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y >>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y >>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y >>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y >>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y >>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y >>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y >>> CONFIG_GRKERNSEC_CHROOT_UNIX=y >>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y >>> CONFIG_GRKERNSEC_CHROOT_NICE=y >>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y >>> CONFIG_GRKERNSEC_CHROOT_CAPS=y >>> CONFIG_GRKERNSEC_AUDIT_GROUP=y >>> CONFIG_GRKERNSEC_AUDIT_GID=100 >>> CONFIG_GRKERNSEC_EXECLOG=y >>> CONFIG_GRKERNSEC_RESLOG=y >>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y >>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y >>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y >>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y >>> CONFIG_GRKERNSEC_SIGNAL=y >>> CONFIG_GRKERNSEC_FORKFAIL=y >>> CONFIG_GRKERNSEC_TIME=y >>> CONFIG_GRKERNSEC_PROC_IPADDR=y >>> CONFIG_GRKERNSEC_RWXMAP_LOG=y >>> CONFIG_GRKERNSEC_DMESG=y >>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y >>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y >>> # CONFIG_GRKERNSEC_SETXID is not set >>> CONFIG_GRKERNSEC_TPE=y >>> CONFIG_GRKERNSEC_TPE_ALL=y >>> # CONFIG_GRKERNSEC_TPE_INVERT is not set >>> CONFIG_GRKERNSEC_TPE_GID=101 >>> CONFIG_GRKERNSEC_RANDNET=y >>> CONFIG_GRKERNSEC_BLACKHOLE=y >>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y >>> # CONFIG_GRKERNSEC_SOCKET is not set >>> # CONFIG_GRKERNSEC_DENYUSB is not set >>> CONFIG_GRKERNSEC_SYSCTL=y >>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set >>> CONFIG_GRKERNSEC_SYSCTL_ON=y >>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set >>> CONFIG_GRKERNSEC_FLOODTIME=10 >>> CONFIG_GRKERNSEC_FLOODBURST=6 >>> >>> Help would really be appreciated to get this working, because I'm >>> quite new to this and I have no idea what I've missed. >>> >>> -- >>> www.johntate.org >>> >> >> >> > > > > -- > www.johntate.org
-- www.johntate.org
