Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
grsec denying gradm, system unusuable
john at johntate
Feb 17, 2014, 11:29 AM
Post #1 of 7 (4846 views)
Permalink
I am new to grsecurity I am having a problem when I enable RBAC, where
grsecurity denies gradm and certain directories such as /etc/grsec are
inaccessible, and even /dev/grsec.

gentoo ~ # gradm -E
gentoo ~ # gradm -F -L /etc/grsec/learning.log
Could not open /dev/grsec.
open: Permission denied

/var/log/messages contains this...
Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3:
(default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for
/sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0

CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=60
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=100
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
# CONFIG_GRKERNSEC_SETXID is not set
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
# CONFIG_GRKERNSEC_TPE_INVERT is not set
CONFIG_GRKERNSEC_TPE_GID=101
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
# CONFIG_GRKERNSEC_DENYUSB is not set
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
CONFIG_GRKERNSEC_SYSCTL_ON=y
# CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6

Help would really be appreciated to get this working, because I'm
quite new to this and I have no idea what I've missed.

--
www.johntate.org
Re: grsec denying gradm, system unusuable [ In reply to ]
atoth at atoth
Feb 17, 2014, 12:03 PM
Post #2 of 7 (4790 views)
Permalink
I think you should not issue gradm -E before activating learning mode.
Also make sure to populate your policy with at least some default stuff
for the admin role before enabling it. The example policy file gives a
starting point.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2014.Február 17.(H) 20:29 időpontban John Tate ezt írta:
> I am new to grsecurity I am having a problem when I enable RBAC, where
> grsecurity denies gradm and certain directories such as /etc/grsec are
> inaccessible, and even /dev/grsec.
>
> gentoo ~ # gradm -E
> gentoo ~ # gradm -F -L /etc/grsec/learning.log
> Could not open /dev/grsec.
> open: Permission denied
>
> /var/log/messages contains this...
> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3:
> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for
> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent
> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
>
> CONFIG_GRKERNSEC=y
> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
> CONFIG_GRKERNSEC_KMEM=y
> CONFIG_GRKERNSEC_IO=y
> CONFIG_GRKERNSEC_PERF_HARDEN=y
> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
> CONFIG_GRKERNSEC_PROC_MEMMAP=y
> CONFIG_GRKERNSEC_BRUTE=y
> CONFIG_GRKERNSEC_MODHARDEN=y
> CONFIG_GRKERNSEC_HIDESYM=y
> CONFIG_GRKERNSEC_KERN_LOCKOUT=y
> # CONFIG_GRKERNSEC_NO_RBAC is not set
> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
> CONFIG_GRKERNSEC_ACL_TIMEOUT=60
> CONFIG_GRKERNSEC_PROC=y
> CONFIG_GRKERNSEC_PROC_USER=y
> CONFIG_GRKERNSEC_PROC_ADD=y
> CONFIG_GRKERNSEC_LINK=y
> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
> CONFIG_GRKERNSEC_FIFO=y
> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
> # CONFIG_GRKERNSEC_ROFS is not set
> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
> CONFIG_GRKERNSEC_CHROOT=y
> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
> CONFIG_GRKERNSEC_CHROOT_UNIX=y
> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
> CONFIG_GRKERNSEC_CHROOT_NICE=y
> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
> CONFIG_GRKERNSEC_CHROOT_CAPS=y
> CONFIG_GRKERNSEC_AUDIT_GROUP=y
> CONFIG_GRKERNSEC_AUDIT_GID=100
> CONFIG_GRKERNSEC_EXECLOG=y
> CONFIG_GRKERNSEC_RESLOG=y
> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
> CONFIG_GRKERNSEC_AUDIT_CHDIR=y
> CONFIG_GRKERNSEC_AUDIT_MOUNT=y
> CONFIG_GRKERNSEC_SIGNAL=y
> CONFIG_GRKERNSEC_FORKFAIL=y
> CONFIG_GRKERNSEC_TIME=y
> CONFIG_GRKERNSEC_PROC_IPADDR=y
> CONFIG_GRKERNSEC_RWXMAP_LOG=y
> CONFIG_GRKERNSEC_DMESG=y
> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
> # CONFIG_GRKERNSEC_SETXID is not set
> CONFIG_GRKERNSEC_TPE=y
> CONFIG_GRKERNSEC_TPE_ALL=y
> # CONFIG_GRKERNSEC_TPE_INVERT is not set
> CONFIG_GRKERNSEC_TPE_GID=101
> CONFIG_GRKERNSEC_RANDNET=y
> CONFIG_GRKERNSEC_BLACKHOLE=y
> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
> # CONFIG_GRKERNSEC_SOCKET is not set
> # CONFIG_GRKERNSEC_DENYUSB is not set
> CONFIG_GRKERNSEC_SYSCTL=y
> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
> CONFIG_GRKERNSEC_SYSCTL_ON=y
> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
> CONFIG_GRKERNSEC_FLOODTIME=10
> CONFIG_GRKERNSEC_FLOODBURST=6
>
> Help would really be appreciated to get this working, because I'm
> quite new to this and I have no idea what I've missed.
>
> --
> www.johntate.org
>
Re: grsec denying gradm, system unusuable [ In reply to ]
john at johntate
Feb 17, 2014, 2:25 PM
Post #3 of 7 (4788 views)
Permalink
What should that stuff be so gradm works. I tried add

Also the wiki instructs me to issue gradm -E before putting it in learning mode.

I've tried adding some lines to the admin role myself but the same
problem occurs, and gradm can no longer find /dev/grsec..

role admin sA
subject / rvka
/ rwcdmlxi
subject /sbin/gradm
/etc/grsec rwx
/dev/grsec rw
+CAP_DAC_OVERRIDE

It would be good if you could just help me get started by giving
enough so that gradm -D will work so I can still work on the system
without a reboot. At this point it is tedious.

Also either the Wiki page is out of date and the advise no longer
works, or the problem is actually some kernel option I've enabled:
https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart


On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <atoth@atoth.sote.hu> wrote:
> I think you should not issue gradm -E before activating learning mode.
> Also make sure to populate your policy with at least some default stuff
> for the admin role before enabling it. The example policy file gives a
> starting point.
> --
> dr Tóth Attila, Radiológus, 06-20-825-8057
> Attila Toth MD, Radiologist, +36-20-825-8057
>
> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta:
>> I am new to grsecurity I am having a problem when I enable RBAC, where
>> grsecurity denies gradm and certain directories such as /etc/grsec are
>> inaccessible, and even /dev/grsec.
>>
>> gentoo ~ # gradm -E
>> gentoo ~ # gradm -F -L /etc/grsec/learning.log
>> Could not open /dev/grsec.
>> open: Permission denied
>>
>> /var/log/messages contains this...
>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3:
>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for
>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent
>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
>>
>> CONFIG_GRKERNSEC=y
>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
>> CONFIG_GRKERNSEC_KMEM=y
>> CONFIG_GRKERNSEC_IO=y
>> CONFIG_GRKERNSEC_PERF_HARDEN=y
>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
>> CONFIG_GRKERNSEC_PROC_MEMMAP=y
>> CONFIG_GRKERNSEC_BRUTE=y
>> CONFIG_GRKERNSEC_MODHARDEN=y
>> CONFIG_GRKERNSEC_HIDESYM=y
>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y
>> # CONFIG_GRKERNSEC_NO_RBAC is not set
>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60
>> CONFIG_GRKERNSEC_PROC=y
>> CONFIG_GRKERNSEC_PROC_USER=y
>> CONFIG_GRKERNSEC_PROC_ADD=y
>> CONFIG_GRKERNSEC_LINK=y
>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
>> CONFIG_GRKERNSEC_FIFO=y
>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
>> # CONFIG_GRKERNSEC_ROFS is not set
>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
>> CONFIG_GRKERNSEC_CHROOT=y
>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
>> CONFIG_GRKERNSEC_CHROOT_UNIX=y
>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
>> CONFIG_GRKERNSEC_CHROOT_NICE=y
>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
>> CONFIG_GRKERNSEC_CHROOT_CAPS=y
>> CONFIG_GRKERNSEC_AUDIT_GROUP=y
>> CONFIG_GRKERNSEC_AUDIT_GID=100
>> CONFIG_GRKERNSEC_EXECLOG=y
>> CONFIG_GRKERNSEC_RESLOG=y
>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y
>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y
>> CONFIG_GRKERNSEC_SIGNAL=y
>> CONFIG_GRKERNSEC_FORKFAIL=y
>> CONFIG_GRKERNSEC_TIME=y
>> CONFIG_GRKERNSEC_PROC_IPADDR=y
>> CONFIG_GRKERNSEC_RWXMAP_LOG=y
>> CONFIG_GRKERNSEC_DMESG=y
>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
>> # CONFIG_GRKERNSEC_SETXID is not set
>> CONFIG_GRKERNSEC_TPE=y
>> CONFIG_GRKERNSEC_TPE_ALL=y
>> # CONFIG_GRKERNSEC_TPE_INVERT is not set
>> CONFIG_GRKERNSEC_TPE_GID=101
>> CONFIG_GRKERNSEC_RANDNET=y
>> CONFIG_GRKERNSEC_BLACKHOLE=y
>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
>> # CONFIG_GRKERNSEC_SOCKET is not set
>> # CONFIG_GRKERNSEC_DENYUSB is not set
>> CONFIG_GRKERNSEC_SYSCTL=y
>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
>> CONFIG_GRKERNSEC_SYSCTL_ON=y
>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
>> CONFIG_GRKERNSEC_FLOODTIME=10
>> CONFIG_GRKERNSEC_FLOODBURST=6
>>
>> Help would really be appreciated to get this working, because I'm
>> quite new to this and I have no idea what I've missed.
>>
>> --
>> www.johntate.org
>>
>
>
>



--
www.johntate.org
Re: grsec denying gradm, system unusuable [ In reply to ]
john at johntate
Feb 17, 2014, 2:26 PM
Post #4 of 7 (4778 views)
Permalink
BTW, I was supposed to delete the first two lines of that email.

On Tue, Feb 18, 2014 at 9:25 AM, John Tate <john@johntate.org> wrote:
> What should that stuff be so gradm works. I tried add
>
> Also the wiki instructs me to issue gradm -E before putting it in learning mode.
>
> I've tried adding some lines to the admin role myself but the same
> problem occurs, and gradm can no longer find /dev/grsec..
>
> role admin sA
> subject / rvka
> / rwcdmlxi
> subject /sbin/gradm
> /etc/grsec rwx
> /dev/grsec rw
> +CAP_DAC_OVERRIDE
>
> It would be good if you could just help me get started by giving
> enough so that gradm -D will work so I can still work on the system
> without a reboot. At this point it is tedious.
>
> Also either the Wiki page is out of date and the advise no longer
> works, or the problem is actually some kernel option I've enabled:
> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart
>
>
> On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <atoth@atoth.sote.hu> wrote:
>> I think you should not issue gradm -E before activating learning mode.
>> Also make sure to populate your policy with at least some default stuff
>> for the admin role before enabling it. The example policy file gives a
>> starting point.
>> --
>> dr Tóth Attila, Radiológus, 06-20-825-8057
>> Attila Toth MD, Radiologist, +36-20-825-8057
>>
>> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta:
>>> I am new to grsecurity I am having a problem when I enable RBAC, where
>>> grsecurity denies gradm and certain directories such as /etc/grsec are
>>> inaccessible, and even /dev/grsec.
>>>
>>> gentoo ~ # gradm -E
>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log
>>> Could not open /dev/grsec.
>>> open: Permission denied
>>>
>>> /var/log/messages contains this...
>>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3:
>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for
>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent
>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
>>>
>>> CONFIG_GRKERNSEC=y
>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
>>> CONFIG_GRKERNSEC_KMEM=y
>>> CONFIG_GRKERNSEC_IO=y
>>> CONFIG_GRKERNSEC_PERF_HARDEN=y
>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
>>> CONFIG_GRKERNSEC_PROC_MEMMAP=y
>>> CONFIG_GRKERNSEC_BRUTE=y
>>> CONFIG_GRKERNSEC_MODHARDEN=y
>>> CONFIG_GRKERNSEC_HIDESYM=y
>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y
>>> # CONFIG_GRKERNSEC_NO_RBAC is not set
>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60
>>> CONFIG_GRKERNSEC_PROC=y
>>> CONFIG_GRKERNSEC_PROC_USER=y
>>> CONFIG_GRKERNSEC_PROC_ADD=y
>>> CONFIG_GRKERNSEC_LINK=y
>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
>>> CONFIG_GRKERNSEC_FIFO=y
>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
>>> # CONFIG_GRKERNSEC_ROFS is not set
>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
>>> CONFIG_GRKERNSEC_CHROOT=y
>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
>>> CONFIG_GRKERNSEC_CHROOT_UNIX=y
>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
>>> CONFIG_GRKERNSEC_CHROOT_NICE=y
>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
>>> CONFIG_GRKERNSEC_CHROOT_CAPS=y
>>> CONFIG_GRKERNSEC_AUDIT_GROUP=y
>>> CONFIG_GRKERNSEC_AUDIT_GID=100
>>> CONFIG_GRKERNSEC_EXECLOG=y
>>> CONFIG_GRKERNSEC_RESLOG=y
>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y
>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y
>>> CONFIG_GRKERNSEC_SIGNAL=y
>>> CONFIG_GRKERNSEC_FORKFAIL=y
>>> CONFIG_GRKERNSEC_TIME=y
>>> CONFIG_GRKERNSEC_PROC_IPADDR=y
>>> CONFIG_GRKERNSEC_RWXMAP_LOG=y
>>> CONFIG_GRKERNSEC_DMESG=y
>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
>>> # CONFIG_GRKERNSEC_SETXID is not set
>>> CONFIG_GRKERNSEC_TPE=y
>>> CONFIG_GRKERNSEC_TPE_ALL=y
>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set
>>> CONFIG_GRKERNSEC_TPE_GID=101
>>> CONFIG_GRKERNSEC_RANDNET=y
>>> CONFIG_GRKERNSEC_BLACKHOLE=y
>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
>>> # CONFIG_GRKERNSEC_SOCKET is not set
>>> # CONFIG_GRKERNSEC_DENYUSB is not set
>>> CONFIG_GRKERNSEC_SYSCTL=y
>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
>>> CONFIG_GRKERNSEC_SYSCTL_ON=y
>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
>>> CONFIG_GRKERNSEC_FLOODTIME=10
>>> CONFIG_GRKERNSEC_FLOODBURST=6
>>>
>>> Help would really be appreciated to get this working, because I'm
>>> quite new to this and I have no idea what I've missed.
>>>
>>> --
>>> www.johntate.org
>>>
>>
>>
>>
>
>
>
> --
> www.johntate.org



--
www.johntate.org
Re: grsec denying gradm, system unusuable [ In reply to ]
atoth at atoth
Feb 18, 2014, 3:06 AM
Post #5 of 7 (4779 views)
Permalink
Just give gradm learning a try without a prior gradm -E.
After you can generate an initial set of rules for your policy, you can
start fine-tuning it for some specific applications.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2014.Február 17.(H) 23:26 időpontban John Tate ezt írta:
> BTW, I was supposed to delete the first two lines of that email.
>
> On Tue, Feb 18, 2014 at 9:25 AM, John Tate <john@johntate.org> wrote:
>> What should that stuff be so gradm works. I tried add
>>
>> Also the wiki instructs me to issue gradm -E before putting it in
>> learning mode.
>>
>> I've tried adding some lines to the admin role myself but the same
>> problem occurs, and gradm can no longer find /dev/grsec..
>>
>> role admin sA
>> subject / rvka
>> / rwcdmlxi
>> subject /sbin/gradm
>> /etc/grsec rwx
>> /dev/grsec rw
>> +CAP_DAC_OVERRIDE
>>
>> It would be good if you could just help me get started by giving
>> enough so that gradm -D will work so I can still work on the system
>> without a reboot. At this point it is tedious.
>>
>> Also either the Wiki page is out of date and the advise no longer
>> works, or the problem is actually some kernel option I've enabled:
>> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart
>>
>>
>> On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <atoth@atoth.sote.hu>
>> wrote:
>>> I think you should not issue gradm -E before activating learning mode.
>>> Also make sure to populate your policy with at least some default stuff
>>> for the admin role before enabling it. The example policy file gives a
>>> starting point.
>>> --
>>> dr Tóth Attila, Radiológus, 06-20-825-8057
>>> Attila Toth MD, Radiologist, +36-20-825-8057
>>>
>>> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta:
>>>> I am new to grsecurity I am having a problem when I enable RBAC, where
>>>> grsecurity denies gradm and certain directories such as /etc/grsec are
>>>> inaccessible, and even /dev/grsec.
>>>>
>>>> gentoo ~ # gradm -E
>>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log
>>>> Could not open /dev/grsec.
>>>> open: Permission denied
>>>>
>>>> /var/log/messages contains this...
>>>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3:
>>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for
>>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent
>>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
>>>>
>>>> CONFIG_GRKERNSEC=y
>>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
>>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
>>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
>>>> CONFIG_GRKERNSEC_KMEM=y
>>>> CONFIG_GRKERNSEC_IO=y
>>>> CONFIG_GRKERNSEC_PERF_HARDEN=y
>>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
>>>> CONFIG_GRKERNSEC_PROC_MEMMAP=y
>>>> CONFIG_GRKERNSEC_BRUTE=y
>>>> CONFIG_GRKERNSEC_MODHARDEN=y
>>>> CONFIG_GRKERNSEC_HIDESYM=y
>>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y
>>>> # CONFIG_GRKERNSEC_NO_RBAC is not set
>>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
>>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
>>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60
>>>> CONFIG_GRKERNSEC_PROC=y
>>>> CONFIG_GRKERNSEC_PROC_USER=y
>>>> CONFIG_GRKERNSEC_PROC_ADD=y
>>>> CONFIG_GRKERNSEC_LINK=y
>>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
>>>> CONFIG_GRKERNSEC_FIFO=y
>>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
>>>> # CONFIG_GRKERNSEC_ROFS is not set
>>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
>>>> CONFIG_GRKERNSEC_CHROOT=y
>>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
>>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
>>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
>>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
>>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
>>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
>>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
>>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
>>>> CONFIG_GRKERNSEC_CHROOT_UNIX=y
>>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
>>>> CONFIG_GRKERNSEC_CHROOT_NICE=y
>>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
>>>> CONFIG_GRKERNSEC_CHROOT_CAPS=y
>>>> CONFIG_GRKERNSEC_AUDIT_GROUP=y
>>>> CONFIG_GRKERNSEC_AUDIT_GID=100
>>>> CONFIG_GRKERNSEC_EXECLOG=y
>>>> CONFIG_GRKERNSEC_RESLOG=y
>>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
>>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
>>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y
>>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y
>>>> CONFIG_GRKERNSEC_SIGNAL=y
>>>> CONFIG_GRKERNSEC_FORKFAIL=y
>>>> CONFIG_GRKERNSEC_TIME=y
>>>> CONFIG_GRKERNSEC_PROC_IPADDR=y
>>>> CONFIG_GRKERNSEC_RWXMAP_LOG=y
>>>> CONFIG_GRKERNSEC_DMESG=y
>>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
>>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
>>>> # CONFIG_GRKERNSEC_SETXID is not set
>>>> CONFIG_GRKERNSEC_TPE=y
>>>> CONFIG_GRKERNSEC_TPE_ALL=y
>>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set
>>>> CONFIG_GRKERNSEC_TPE_GID=101
>>>> CONFIG_GRKERNSEC_RANDNET=y
>>>> CONFIG_GRKERNSEC_BLACKHOLE=y
>>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
>>>> # CONFIG_GRKERNSEC_SOCKET is not set
>>>> # CONFIG_GRKERNSEC_DENYUSB is not set
>>>> CONFIG_GRKERNSEC_SYSCTL=y
>>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
>>>> CONFIG_GRKERNSEC_SYSCTL_ON=y
>>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
>>>> CONFIG_GRKERNSEC_FLOODTIME=10
>>>> CONFIG_GRKERNSEC_FLOODBURST=6
>>>>
>>>> Help would really be appreciated to get this working, because I'm
>>>> quite new to this and I have no idea what I've missed.
>>>>
>>>> --
>>>> www.johntate.org
>>>>
>>>
>>>
>>>
>>
>>
>>
>> --
>> www.johntate.org
>
>
>
> --
> www.johntate.org
>
>
Re: grsec denying gradm, system unusuable [ In reply to ]
john at johntate
Feb 23, 2014, 1:20 AM
Post #6 of 7 (4763 views)
Permalink
How does it learn about the gradm -E before I've ran it. Running it
kills the system, whereupon there is no /etc/grsec to write any rules
to. I've thought of this, and it doesn't work.

On Tue, Feb 18, 2014 at 10:06 PM, "Tóth Attila" <atoth@atoth.sote.hu> wrote:
> Just give gradm learning a try without a prior gradm -E.
> After you can generate an initial set of rules for your policy, you can
> start fine-tuning it for some specific applications.
> --
> dr Tóth Attila, Radiológus, 06-20-825-8057
> Attila Toth MD, Radiologist, +36-20-825-8057
>
> 2014.Február 17.(H) 23:26 időpontban John Tate ezt írta:
>> BTW, I was supposed to delete the first two lines of that email.
>>
>> On Tue, Feb 18, 2014 at 9:25 AM, John Tate <john@johntate.org> wrote:
>>> What should that stuff be so gradm works. I tried add
>>>
>>> Also the wiki instructs me to issue gradm -E before putting it in
>>> learning mode.
>>>
>>> I've tried adding some lines to the admin role myself but the same
>>> problem occurs, and gradm can no longer find /dev/grsec..
>>>
>>> role admin sA
>>> subject / rvka
>>> / rwcdmlxi
>>> subject /sbin/gradm
>>> /etc/grsec rwx
>>> /dev/grsec rw
>>> +CAP_DAC_OVERRIDE
>>>
>>> It would be good if you could just help me get started by giving
>>> enough so that gradm -D will work so I can still work on the system
>>> without a reboot. At this point it is tedious.
>>>
>>> Also either the Wiki page is out of date and the advise no longer
>>> works, or the problem is actually some kernel option I've enabled:
>>> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart
>>>
>>>
>>> On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <atoth@atoth.sote.hu>
>>> wrote:
>>>> I think you should not issue gradm -E before activating learning mode.
>>>> Also make sure to populate your policy with at least some default stuff
>>>> for the admin role before enabling it. The example policy file gives a
>>>> starting point.
>>>> --
>>>> dr Tóth Attila, Radiológus, 06-20-825-8057
>>>> Attila Toth MD, Radiologist, +36-20-825-8057
>>>>
>>>> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta:
>>>>> I am new to grsecurity I am having a problem when I enable RBAC, where
>>>>> grsecurity denies gradm and certain directories such as /etc/grsec are
>>>>> inaccessible, and even /dev/grsec.
>>>>>
>>>>> gentoo ~ # gradm -E
>>>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log
>>>>> Could not open /dev/grsec.
>>>>> open: Permission denied
>>>>>
>>>>> /var/log/messages contains this...
>>>>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From 192.168.0.3:
>>>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for
>>>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent
>>>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
>>>>>
>>>>> CONFIG_GRKERNSEC=y
>>>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
>>>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
>>>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
>>>>> CONFIG_GRKERNSEC_KMEM=y
>>>>> CONFIG_GRKERNSEC_IO=y
>>>>> CONFIG_GRKERNSEC_PERF_HARDEN=y
>>>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
>>>>> CONFIG_GRKERNSEC_PROC_MEMMAP=y
>>>>> CONFIG_GRKERNSEC_BRUTE=y
>>>>> CONFIG_GRKERNSEC_MODHARDEN=y
>>>>> CONFIG_GRKERNSEC_HIDESYM=y
>>>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y
>>>>> # CONFIG_GRKERNSEC_NO_RBAC is not set
>>>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
>>>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
>>>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60
>>>>> CONFIG_GRKERNSEC_PROC=y
>>>>> CONFIG_GRKERNSEC_PROC_USER=y
>>>>> CONFIG_GRKERNSEC_PROC_ADD=y
>>>>> CONFIG_GRKERNSEC_LINK=y
>>>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
>>>>> CONFIG_GRKERNSEC_FIFO=y
>>>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
>>>>> # CONFIG_GRKERNSEC_ROFS is not set
>>>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
>>>>> CONFIG_GRKERNSEC_CHROOT=y
>>>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
>>>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
>>>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
>>>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
>>>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
>>>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
>>>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
>>>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
>>>>> CONFIG_GRKERNSEC_CHROOT_UNIX=y
>>>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
>>>>> CONFIG_GRKERNSEC_CHROOT_NICE=y
>>>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
>>>>> CONFIG_GRKERNSEC_CHROOT_CAPS=y
>>>>> CONFIG_GRKERNSEC_AUDIT_GROUP=y
>>>>> CONFIG_GRKERNSEC_AUDIT_GID=100
>>>>> CONFIG_GRKERNSEC_EXECLOG=y
>>>>> CONFIG_GRKERNSEC_RESLOG=y
>>>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
>>>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
>>>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y
>>>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y
>>>>> CONFIG_GRKERNSEC_SIGNAL=y
>>>>> CONFIG_GRKERNSEC_FORKFAIL=y
>>>>> CONFIG_GRKERNSEC_TIME=y
>>>>> CONFIG_GRKERNSEC_PROC_IPADDR=y
>>>>> CONFIG_GRKERNSEC_RWXMAP_LOG=y
>>>>> CONFIG_GRKERNSEC_DMESG=y
>>>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
>>>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
>>>>> # CONFIG_GRKERNSEC_SETXID is not set
>>>>> CONFIG_GRKERNSEC_TPE=y
>>>>> CONFIG_GRKERNSEC_TPE_ALL=y
>>>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set
>>>>> CONFIG_GRKERNSEC_TPE_GID=101
>>>>> CONFIG_GRKERNSEC_RANDNET=y
>>>>> CONFIG_GRKERNSEC_BLACKHOLE=y
>>>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
>>>>> # CONFIG_GRKERNSEC_SOCKET is not set
>>>>> # CONFIG_GRKERNSEC_DENYUSB is not set
>>>>> CONFIG_GRKERNSEC_SYSCTL=y
>>>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
>>>>> CONFIG_GRKERNSEC_SYSCTL_ON=y
>>>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
>>>>> CONFIG_GRKERNSEC_FLOODTIME=10
>>>>> CONFIG_GRKERNSEC_FLOODBURST=6
>>>>>
>>>>> Help would really be appreciated to get this working, because I'm
>>>>> quite new to this and I have no idea what I've missed.
>>>>>
>>>>> --
>>>>> www.johntate.org
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> www.johntate.org
>>
>>
>>
>> --
>> www.johntate.org
>>
>>
>
>
>



--
www.johntate.org
Re: grsec denying gradm, system unusuable [ In reply to ]
atoth at atoth
Feb 23, 2014, 7:21 AM
Post #7 of 7 (4767 views)
Permalink
I run learning while RBAC is disabled. So without gradm -E.
I'm not sure what's wrong with your setup, but learning mode does not
require the RBAC to be active.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2014.Február 23.(V) 10:20 időpontban John Tate ezt írta:
> How does it learn about the gradm -E before I've ran it. Running it
> kills the system, whereupon there is no /etc/grsec to write any rules
> to. I've thought of this, and it doesn't work.
>
> On Tue, Feb 18, 2014 at 10:06 PM, "Tóth Attila" <atoth@atoth.sote.hu>
> wrote:
>> Just give gradm learning a try without a prior gradm -E.
>> After you can generate an initial set of rules for your policy, you can
>> start fine-tuning it for some specific applications.
>> --
>> dr Tóth Attila, Radiológus, 06-20-825-8057
>> Attila Toth MD, Radiologist, +36-20-825-8057
>>
>> 2014.Február 17.(H) 23:26 időpontban John Tate ezt írta:
>>> BTW, I was supposed to delete the first two lines of that email.
>>>
>>> On Tue, Feb 18, 2014 at 9:25 AM, John Tate <john@johntate.org> wrote:
>>>> What should that stuff be so gradm works. I tried add
>>>>
>>>> Also the wiki instructs me to issue gradm -E before putting it in
>>>> learning mode.
>>>>
>>>> I've tried adding some lines to the admin role myself but the same
>>>> problem occurs, and gradm can no longer find /dev/grsec..
>>>>
>>>> role admin sA
>>>> subject / rvka
>>>> / rwcdmlxi
>>>> subject /sbin/gradm
>>>> /etc/grsec rwx
>>>> /dev/grsec rw
>>>> +CAP_DAC_OVERRIDE
>>>>
>>>> It would be good if you could just help me get started by giving
>>>> enough so that gradm -D will work so I can still work on the system
>>>> without a reboot. At this point it is tedious.
>>>>
>>>> Also either the Wiki page is out of date and the advise no longer
>>>> works, or the problem is actually some kernel option I've enabled:
>>>> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart
>>>>
>>>>
>>>> On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <atoth@atoth.sote.hu>
>>>> wrote:
>>>>> I think you should not issue gradm -E before activating learning
>>>>> mode.
>>>>> Also make sure to populate your policy with at least some default
>>>>> stuff
>>>>> for the admin role before enabling it. The example policy file gives
>>>>> a
>>>>> starting point.
>>>>> --
>>>>> dr Tóth Attila, Radiológus, 06-20-825-8057
>>>>> Attila Toth MD, Radiologist, +36-20-825-8057
>>>>>
>>>>> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta:
>>>>>> I am new to grsecurity I am having a problem when I enable RBAC,
>>>>>> where
>>>>>> grsecurity denies gradm and certain directories such as /etc/grsec
>>>>>> are
>>>>>> inaccessible, and even /dev/grsec.
>>>>>>
>>>>>> gentoo ~ # gradm -E
>>>>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log
>>>>>> Could not open /dev/grsec.
>>>>>> open: Permission denied
>>>>>>
>>>>>> /var/log/messages contains this...
>>>>>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From
>>>>>> 192.168.0.3:
>>>>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for
>>>>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent
>>>>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0
>>>>>>
>>>>>> CONFIG_GRKERNSEC=y
>>>>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
>>>>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
>>>>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101
>>>>>> CONFIG_GRKERNSEC_KMEM=y
>>>>>> CONFIG_GRKERNSEC_IO=y
>>>>>> CONFIG_GRKERNSEC_PERF_HARDEN=y
>>>>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
>>>>>> CONFIG_GRKERNSEC_PROC_MEMMAP=y
>>>>>> CONFIG_GRKERNSEC_BRUTE=y
>>>>>> CONFIG_GRKERNSEC_MODHARDEN=y
>>>>>> CONFIG_GRKERNSEC_HIDESYM=y
>>>>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y
>>>>>> # CONFIG_GRKERNSEC_NO_RBAC is not set
>>>>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
>>>>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
>>>>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60
>>>>>> CONFIG_GRKERNSEC_PROC=y
>>>>>> CONFIG_GRKERNSEC_PROC_USER=y
>>>>>> CONFIG_GRKERNSEC_PROC_ADD=y
>>>>>> CONFIG_GRKERNSEC_LINK=y
>>>>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
>>>>>> CONFIG_GRKERNSEC_FIFO=y
>>>>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
>>>>>> # CONFIG_GRKERNSEC_ROFS is not set
>>>>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
>>>>>> CONFIG_GRKERNSEC_CHROOT=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_UNIX=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_NICE=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_CAPS=y
>>>>>> CONFIG_GRKERNSEC_AUDIT_GROUP=y
>>>>>> CONFIG_GRKERNSEC_AUDIT_GID=100
>>>>>> CONFIG_GRKERNSEC_EXECLOG=y
>>>>>> CONFIG_GRKERNSEC_RESLOG=y
>>>>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
>>>>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
>>>>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y
>>>>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y
>>>>>> CONFIG_GRKERNSEC_SIGNAL=y
>>>>>> CONFIG_GRKERNSEC_FORKFAIL=y
>>>>>> CONFIG_GRKERNSEC_TIME=y
>>>>>> CONFIG_GRKERNSEC_PROC_IPADDR=y
>>>>>> CONFIG_GRKERNSEC_RWXMAP_LOG=y
>>>>>> CONFIG_GRKERNSEC_DMESG=y
>>>>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
>>>>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
>>>>>> # CONFIG_GRKERNSEC_SETXID is not set
>>>>>> CONFIG_GRKERNSEC_TPE=y
>>>>>> CONFIG_GRKERNSEC_TPE_ALL=y
>>>>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set
>>>>>> CONFIG_GRKERNSEC_TPE_GID=101
>>>>>> CONFIG_GRKERNSEC_RANDNET=y
>>>>>> CONFIG_GRKERNSEC_BLACKHOLE=y
>>>>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
>>>>>> # CONFIG_GRKERNSEC_SOCKET is not set
>>>>>> # CONFIG_GRKERNSEC_DENYUSB is not set
>>>>>> CONFIG_GRKERNSEC_SYSCTL=y
>>>>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
>>>>>> CONFIG_GRKERNSEC_SYSCTL_ON=y
>>>>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
>>>>>> CONFIG_GRKERNSEC_FLOODTIME=10
>>>>>> CONFIG_GRKERNSEC_FLOODBURST=6
>>>>>>
>>>>>> Help would really be appreciated to get this working, because I'm
>>>>>> quite new to this and I have no idea what I've missed.
>>>>>>
>>>>>> --
>>>>>> www.johntate.org
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> www.johntate.org
>>>
>>>
>>>
>>> --
>>> www.johntate.org
>>>
>>>
>>
>>
>>
>
>
>
> --
> www.johntate.org
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal