[grsec] Strange effects after upgrade to 2.1.0

Brad Spengler spender at grsecurity.net
Mon Jan 17 20:08:53 EST 2005 

On Tue, Jan 18, 2005 at 01:24:07AM +0100, Marc Schiffbauer wrote:
> Hi,
> 
> after upgradeing from grsec 2.0.2 to 2.1.0 I discovered some strange
> grsec denies...
> 
> * the daemons were not able anymore to bind to their ports
> 
> grsec: From 1.2.3.4: (root:U:/usr/sbin/proftpd) attempted bind to x.x.x.x port 46304 sock type stream protocol tcp by /usr/sbin/proftpd[proftpd:27198] uid/euid:0/104 gid/egid:65534/65534, parent /usr/sbin/inetd[inetd:538] uid/euid:0/0 gid/egid:0/0
> 
> my ACL says:
> 
> bind 0.0.0.0/32:0 dgram ip
> bind x.x.x.x/32 stream tcp
> bind x.x.x.x/32:20 stream tcp
> 
> What has changed here?

IP policies are now checked at listen and accept time as well, since 
someone can reserve a server socket in the temporary port range by 
calling listen() after socket(), without calling bind in between, and 
the socket can receive connections with accept().
The policy you pasted above should allow the access, if the x.x.x.x IP 
address in the policy matches that of the one in the log.  If they're 
not the same, add a policy to allow the process to bind to any temporary 
port: bind x.x.x.x/32:1024-65535 stream tcp


> grsec: (cyrus:U:/usr/lib/cyrus/bin/lmtpd) denied link of /var/spool/cyrus/mail/stage./... to /var/spool/cyrus/mail/j/user/.... by /usr/lib/cyrus/bin/lmtpd[lmtpd:20753] uid/euid:101/101 gid/egid:8/8,parent /usr/sbin/cyrmaster[cyrmaster:25802] uid/euid:101/101 gid/egid:8/8
> 
> ACL says: 
> 
> /var/spool/cyrus/mail           rwcd
> 
> What does "unlink .. to .." mean? Why is it denied?

It's a hardlink, not an unlink.  In 2.1.0, I added a new object mode 
that is required for creating hardlinks.  The sample policy with gradm 
shows how the object mode is used (basically, just add an "l" to the 
mode for that object).

> * Several denies to /proc/sys/kernel/version 
>   (I did not change the policy...)

This could have to do with the caching in 2.1.0.  To solve this problem, 
try out the 2.1.1 patch for 2.4.29-rc3 or 2.6.10 from 
http://grsecurity.net/~spender with the 2.1.1 gradm.  It's important 
that many people test this so that I can release this onto the main 
page.  2.1.1 is mainly bugfixes except for a new tty sniffing detection 
integrated into the RBAC system that I want to make sure works for 
everyone (that is, it generates no false positives) before I release.

It's important when updating to new versions of grsecurity to check the 
list of changes announced on the website and look at the sample policy 
file for information on new permission flags or features.  You should 
also inspect the learn_config file and merge any changes over to your 
learn_config.  In 2.1.1, I've exported most of the heuristics of the 
learning process to learn_config so that you can tailor the 
automatic policy generation based on simple information like what files 
or directories are important to protect on your system.

-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20050117/b3d66c8f/attachment.pgp

More information about the grsecurity mailing list