[grsec] Re: Duplicate root role in policy file

Christian Piva Franzen cpfranzen at gmail.com
Thu Dec 1 15:54:37 EST 2005 

Kurt,

   It's because there are two roles called root, the original and the
one created by the learning.

   In my system, I made a backup of the policy file, and then cp
/dev/null /etc/grsec/policy, and finally gradm -L xyz -O
/etc/grsec/policy.

   I used some parts of the original in the new policy.

   I didn't try to check every entry in both roles, and don't check
for eventual security problems that "my way" may cause.

   It would be good if Spengler or someone more experient than me,
give us some words about.

Regards,
Christian

2005/12/1, grsecurity-request at grsecurity.net
<grsecurity-request at grsecurity.net>:
> Send grsecurity mailing list submissions to
>        grsecurity at grsecurity.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
> or, via email, send a message with subject or body 'help' to
>        grsecurity-request at grsecurity.net
>
> You can reach the person managing the list at
>        grsecurity-owner at grsecurity.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of grsecurity digest..."
>
>
> Today's Topics:
>
>   1. Re: Grsec distro? (Redeeman)
>   2. Duplicate root role in policy file (Kurt Pomeroy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 30 Nov 2005 18:17:24 +0100
> From: Redeeman <redeeman at metanurb.dk>
> Subject: Re: [grsec] Grsec distro?
> To: John Logsdon <j.logsdon at quantex-research.com>
> Cc: grsecurity at grsecurity.net
> Message-ID: <1133371044.11718.1.camel at localhost>
> Content-Type: text/plain
>
> On Tue, 2005-11-29 at 01:39 +0000, John Logsdon wrote:
> > This puts neatly my original impression of grsec cf SEL a year or so ago
> > when I first saw it.
> >
> > SEL looks lumpy - it needs modifications to userland tools (eg ls, ps, top
> > and tar->star), uses the attr system (which is broken on Reiser) and
> ahem? im using xattr nicely with reiserfs.
>
> > therefore each filesystem needs to be converted.  This means that there is
> > a lot of potential for forking and chaos.  Your post implies that these
> > incompatibilities have indeed arisen as I feared.  Apart from that, it
> > seems to be quite inelegant to specify policies.
> >
> > As a result, RH do not offer Reiser and some other filesystems at all -
> > you are pretty much stuck with ext3 I think.  I used to use Reiser but
> > have migrated mostly to XFS these days as the POSIX ACL system is built
> > in (a useful relaxation of DAC's if needed).
> >
> > I am sure SEL works and does what it is meant to (well as much as any such
> > system can) and I don't want to start spats or flames (unlikely on the
> > grsec list anyway).  I believe you can run PaX with SEL.
> >
> > The reason for my original post was to see whether any mainline distro was
> > considering using grsec - and would keep up to date with Brad's versions.
> > This would generate much more interest in grsec and perhaps ensure it's
> > future.  So far, only Gentoo has bitten this bullet and as a
> > compile-it-yourself system - which has much to commend it - I guess many
> > people would be put off.  I realise that ACL generation is largely done by
> > the learning mode but a grsec distro would enable us to share ACLs much
> > more easily as the locations would be known.
> >
> > So if anyone has a good leverage with any mainline distros, perhaps a word
> > in their shell-likes?
> >
> > Best wishes
> >
> > John
> >
> > PS There has been a long series of spats from SEL lovers and haters on the
> > CentOS list recently that were sometimes very amusing but none of the
> > posters mentioned any other security system.:)
> >
> > John Logsdon                               "Try to make things as simple
> > Quantex Research Ltd, Manchester UK         as possible but not simpler"
> > j.logsdon at quantex-research.com              a.einstein at relativity.org
> > +44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com
> >
> >
> > On Mon, 28 Nov 2005, Dan Hollis wrote:
> >
> > > On Sat, 26 Nov 2005, John Logsdon wrote:
> > > > that problem.  Now I am sure SEL works well - there have been some rather
> > > > silly spats on the CentOS list recently - but it does mean that many
> > > > userland tools are broken or need to be recompiled against libselinux,
> > > > that the attributes have to work (eg can't use Reiser) and a rather
> > > > cumbersome command system when compared to the simple elegance of grsec.
> > >
> > > The mechanism of grsecurity+pax is considerably different from that of
> > > selinux. selinux aims to limit damage from exploits (basically rbac).
> > > grsecurity+pax aims to prevent exploit from happening in the first place
> > > (stack protection, bounds checking, closing kernel attack vectors, etc).
> > >
> > > it's really two different things. imo selinux is just grsecurity's rbac,
> > > totally excluding pax. but selinux is more cumbersome to use (and
> > > currently, a lot of incompatibility exists).
> > >
> > > -Dan
> > >
> >
> > _______________________________________________
> > grsecurity mailing list
> > grsecurity at grsecurity.net
> > http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
> >
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 1 Dec 2005 10:06:01 -0330
> From: Kurt Pomeroy <kpomeroy at lakecrest.ca>
> Subject: [grsec] Duplicate root role in policy file
> To: grsecurity at grsecurity.net
> Message-ID: <20051201133601.GA10156 at lakecrest.ca>
> Content-Type: text/plain; charset=us-ascii
>
> Hey guys,
>        Just starting over re-learning in full learning mode over the past few days. I disabled the system
> and then converted the new rules into the system policy, then as root, i tried to start up the system
> and received the following error
>
> "Duplicate role root on line 3485 of /etc/grsec/policy.
> The RBAC system will not be allowed to be enabled until this error is fixed."
>
> I have gotten this message a few times in the past but didnt have much luck finding it or
> figuring out why this happens.
>
> Any ideas?
>
> Is there something im doing wrong? Also you have to be root to start and stop the system correct?
> and every time I try /sbin/gradm -a admin as a normal user (im trying to configure the system
> as a regular user and stay out of su'ing to root) but I always get invalid password. I dont think I
> quite have a handle on the administrative roles and how to configure the system as a regular user.
>
> thanks for any and all input, it is greatly appreciated :)
>
> mean while..ahhhhhhhhhhh
>
> i think ive just found one part of my problem. I think i was using /sbin/gradm -a admin without
> doing /sbin/gradm -P admin
>
> I belive I was only setting the system wide password, /sbin/gradm -P and didnt specify the role (admin)
>
> I think lol
>
> cheers fellas
>
>
>
> ------------------------------
>
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
>
>
> End of grsecurity Digest, Vol 18, Issue 1
> *****************************************
>


--

Abraços
Christian

More information about the grsecurity mailing list