# taming grsec

## idella4

I have followed the gentoo guide for the hardened system, enter grsec, & Pax.

It took some time but I deciphered how to get the basic grsec RBAC control

working.  I have done it a few times, but the beast needs taming.

From the guide, the gresec system makes a log file of the system's activity,

then uses that to construct a policy file.  The policy, a littles like selinux,

directs roles and objects and sets attributes to the system files.  Has anyone

got this working?

I have made a policy file with some editing twice now, and the moment I activate

the RBAC policy settings, it absolutely clobbers emerge.

I happen to be tunning  emerge -uDN world under the hardened 2010 profile.  I

have most of kde to go, and have not touched system, though many world packages

cross system packages.  Behold

```

idella@genny ~ $ sudo gradm -E

```

......................[in another tab of the console]

```

>>> Installing (5 of 123) kde-base/kamera-4.5.3

>>> Installing (2 of 123) kde-base/ksplash-4.5.3

>>> Installing (4 of 123) kde-base/gwenview-4.5.3

>>> Installing (3 of 123) kde-base/okular-4.5.3

>>> Jobs: 3 of 123 complete, 1 running              Load avg: 10.5, 9.4, 4.9

 * Messages for package kde-base/gwenview-4.5.3:

 * For SVG support, emerge -va kde-base/svgpart

Traceback (most recent call last):

  File "/usr/bin/emerge", line 43, in <module>

    retval = emerge_main()

  File "/usr/lib/portage/pym/_emerge/main.py", line 1698, in emerge_main

    myopts, myaction, myfiles, spinner)

  File "/usr/lib/portage/pym/_emerge/actions.py", line 426, in action_build

    retval = mergetask.merge()

  File "/usr/lib/portage/pym/_emerge/Scheduler.py", line 1129, in merge

    rval = self._merge()

  File "/usr/lib/portage/pym/_emerge/Scheduler.py", line 1447, in _merge

    self._main_loop()

  File "/usr/lib/portage/pym/_emerge/Scheduler.py", line 1589, in _main_loop

    self._poll_loop()

  File "/usr/lib/portage/pym/_emerge/PollScheduler.py", line 138, in _poll_loop

    handler(f, event)

  File "/usr/lib/portage/pym/_emerge/EbuildIpcDaemon.py", line 82, in

_input_handler

    reply_hook()

  File "/usr/lib/portage/pym/_emerge/AbstractEbuildProcess.py", line 149, in

_exit_command_callback

    self.scheduler.schedule(self._reg_id, timeout=self._exit_timeout)

  File "/usr/lib/portage/pym/_emerge/PollScheduler.py", line 232, in

_schedule_wait

    handler(f, event)

  File "/usr/lib/portage/pym/_emerge/SpawnProcess.py", line 203, in

_output_handler

    self._unregister_if_appropriate(event)

  File "/usr/lib/portage/pym/_emerge/AbstractPollTask.py", line 49, in

_unregister_if_appropriate

    self.wait()

  File "/usr/lib/portage/pym/_emerge/AsynchronousTask.py", line 41, in wait

    self._wait_hook()

  File "/usr/lib/portage/pym/_emerge/AsynchronousTask.py", line 114, in

_wait_hook

    self._exit_listener_stack.pop()(self)

  File "/usr/lib/portage/pym/_emerge/EbuildPhase.py", line 201, in

_post_phase_exit

    self.wait()

  File "/usr/lib/portage/pym/_emerge/AsynchronousTask.py", line 41, in wait

    self._wait_hook()

  File "/usr/lib/portage/pym/_emerge/AsynchronousTask.py", line 114, in

_wait_hook

    self._exit_listener_stack.pop()(self)

  File "/usr/lib/portage/pym/_emerge/TaskSequence.py", line 43, in

_task_exit_handler

    self.wait()

  File "/usr/lib/portage/pym/_emerge/AsynchronousTask.py", line 41, in wait

    self._wait_hook()

  File "/usr/lib/portage/pym/_emerge/AsynchronousTask.py", line 114, in

_wait_hook

    self._exit_listener_stack.pop()(self)

  File "/usr/lib/portage/pym/_emerge/CompositeTask.py", line 105, in

_default_final_exit

    return self.wait()

  File "/usr/lib/portage/pym/_emerge/AsynchronousTask.py", line 41, in wait

    self._wait_hook()

  File "/usr/lib/portage/pym/_emerge/AsynchronousTask.py", line 114, in

_wait_hook

    self._exit_listener_stack.pop()(self)

    self._exit_listener_stack.pop()(self)

  File "/usr/lib/portage/pym/_emerge/Scheduler.py", line 1426, in _build_exit

    self._schedule()

  File "/usr/lib/portage/pym/_emerge/PollScheduler.py", line 52, in _schedule

    return self._schedule_tasks()

  File "/usr/lib/portage/pym/_emerge/Scheduler.py", line 1623, in

_schedule_tasks

    if q.schedule():

  File "/usr/lib/portage/pym/_emerge/SequentialTaskQueue.py", line 55, in

schedule

    task.start()

  File "/usr/lib/portage/pym/_emerge/AsynchronousTask.py", line 23, in start

    self._start()

  File "/usr/lib/portage/pym/_emerge/PackageMerge.py", line 43, in _start

    self.returncode = self.merge.merge()

  File "/usr/lib/portage/pym/_emerge/MergeListItem.py", line 147, in merge

    retval = self._install_task.install()

  File "/usr/lib/portage/pym/_emerge/EbuildBuild.py", line 326, in install

    self._unlock_builddir()

  File "/usr/lib/portage/pym/_emerge/EbuildBuild.py", line 223, in

_unlock_builddir

    portage.elog.elog_process(self.pkg.cpv, self.settings)

  File "/usr/lib/portage/pym/portage/elog/__init__.py", line 105, in

elog_process

    os.path.join(mysettings["T"], "logging"))

  File "/usr/lib/portage/pym/portage/elog/messages.py", line 48, in

collect_ebuild_messages

    mode='r', encoding=_encodings['repo.content'], errors='replace'):

  File "/usr/lib/python2.6/codecs.py", line 881, in open

    file = __builtin__.open(filename, mode, buffering)

IOError: [Errno 13] Permission denied:

'/var/tmp/portage/portage/kde-base/okular-4.5.3/temp/logging/unpack'

```

Clobbers it.  I ran the learning log with emerge running.  The policy maker

clearly learned sod all about emerge and portage and the permissions it requires

to operate at all.  I can't even disable it.

```

idella@genny ~ $ sudo gradm -D

sudo: setresuid(user_uid, user_uid, ROOT_UID): Operation not permitted

```

Can someone help to tame the beast???  otherwise abandon it as a louy exercise

in linux security.

```

genny idella # ls -ld /etc/grsec/policy

ls: error while loading shared libraries: librt.so.1: cannot open shared object

file: No such file or directory

```

----------

## idella4

bump  Is grsec a mystery to everyone?

----------

## ali3nx

Just my two or more cents but the missing glibc shared library hints at some contributing system inconsistencies that really need to be eliminated as contributing factors   :Wink: 

If you cant disable gradm your mostly left with a hard reboot as an immediate solution. several functions in gradm entirely rely on coreutils working which could be contributing to discovery mode failing to create a sane base policy evaluation. 

I'd also recommend running revdep-rebuild, dispatch-conf, verify your gcc-profile, libtool profile are both valid and run lafilefixer to ensure you have no broken libraries or possible toolchain inconsistencies. if you still cannot use ls without the missing library error you may have to pull out the big guns to rebuild coreutils by making a stage4 hardened base install into use for a bindist host in a chroot from livecd to build a replacement for your current coreutils. while it might seem to be a lot of work well... it is a fair bit of labor however the value of your time invested thus far is your own judgment call   :Confused: 

consistent toolchain and base system is a key requirement for grsec and gradm to play nice when gradm is in lockdown. also ensuring your kernel configuration for grsec and pax isn't contributing to any of the issues your experiencing could be worth some review as some of the configuration options in grsec can greatly increase base system resiliency resulting in possible unwanted affects on system functionality. 

One of gentoo's old guard core system developers put it all into context with perfect clarity many years ago for me with the following phrase

```
I enabled it because it looked cool!
```

Naturally this can come back to kick you in the backside   :Very Happy: 

Overall if your up to the challenge don't give up because once you do succeed with grsec and gradm you'll have climbed one of the more challenging uphill battles linux offers which can be very rewarding when your the admin with the root login   :Cool: 

The seven or eight years of study I've picked up on from working with every major arch gentoo offers as well as hardened recently earned me an email from a corporate recruiter at google. effort reaps rewards beyond expectations   :Smile: 

----------

## idella4

ali3nx

cool, very cool, but could you please stabalise your avatar, I fear it will invoke an epileptic fit with prolonged exposure.  Have seen a couple of your posts in portage & progs, alongside mine.

 *Quote:*   

> 
> 
> I'd also recommend running revdep-rebuild, dispatch-conf, verify your gcc-profile, libtool profile are both valid and run lafilefixer to ensure you have no broken libraries or possible toolchain inconsistencies
> 
> 

 

revdep-rebuild; has been done recently

dispatch-conf; never used it before, only have to plow through 111 files!

```

genny idella # gcc-config -l

 [1] i686-pc-linux-gnu-4.4.5 *

 [2] i686-pc-linux-gnu-4.5.1

```

this should suffice; when I'm keen I can recompile the lot with the upgrade gcc, but not a high priority.

libtool profile; never touched it before.

lafilefixer; done

 *Quote:*   

> 
> 
> the missing glibc shared library hints at some contributing system inconsistencies that really need to be eliminated as contributing factors
> 
> 

 

 *Quote:*   

> 
> 
> genny idella # ls -ld /etc/grsec/policy
> 
> ls: error while loading shared libraries: librt.so.1: cannot open shared object
> ...

 

```

genny idella # equery b librt.so.1

 * Searching for librt.so.1 ... 

sys-libs/glibc-2.12.1-r3 (/lib/librt.so.1 -> librt-2.12.1.so)

```

So, once gradm is enabled via gradm -E, it not only clobbers emerge, but cuts off system awareness of glibc library linkage!!!!!

this is a beast.

So I see no inconsistencies, just a rogue gradm.  

 *Quote:*   

> 
> 
> you may have to pull out the big guns to rebuild coreutils by making a stage4 hardened base install into use for a bindist host in a chroot from livecd to build a replacement for your current coreutils
> 
> 

 

Can you run that by me again?  You have managed to lose me here.  stage4 hardened base install,  bindist host??? chroot from livecd.

I have no idea even how to assess the state of my coreutils.  Certainly don't know how to follow these steps.

Please re-post, I had almost given up on gaining a reply to this, you are clearly the only possible respondent.

----------

## ali3nx

Perhaps the next step might be to ask you to post emerge --info

also just for your information given you were not aware of dispatch-conf it is has been for some time the bigger brother to etc-update with a much more forgiving feature of saving backups for changes in /etc/config-archive 

Here's a list of my config-archive from my local hardened server

 *Quote:*   

> ali3n@gateway ~ $ ls -l /etc/config-archive/etc/
> 
> DIR_COLORS               dbus-1/                  grsec/                   login.defs.dist          mdadm.conf.dist          nanorc.dist              portage/                 rc.conf                  ssh/                     wgetrc.dist
> 
> DIR_COLORS.1             denyhosts.conf           hostapd/                 logrotate.d/             mke2fs.conf              networks                 profile                  rc.conf.dist             ssl/                     xinetd.conf
> ...

 

This has obvious advantages that if you accidentally make a config change your guaranteed to have a backup within that directory

I do see one thing that concerns me with your gcc-profile list that leads me to question if your using accept_keywords="~arch" as this could be contributing to your problems. my stable hardend system is only using gcc-4.4.4

 *Quote:*   

> ali3n@gateway ~ $ gcc-config -l
> 
>  [1] x86_64-pc-linux-gnu-4.4.4 *
> 
>  [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie
> ...

 

----------

## idella4

ali3nx

ok, let's pursue.  This will only work if you follow this through,  The likes of Hu have clearly passed over it, and I would like to tame the beast.

```

karmic / # emerge --info

Portage 2.1.9.24 (hardened/linux/x86, gcc-4.5.1, glibc-2.12.1-r3, 2.6.31-19-generic-pae i686)

=================================================================

System uname: Linux-2.6.31-19-generic-pae-i686-Intel-R-_Core-TM-2_Duo_CPU_E6550_@_2.33GHz-with-gentoo-2.0.1

Timestamp of tree: Tue, 23 Nov 2010 13:15:03 +0000

ccache version 3.1.1 [disabled]

app-shells/bash:     4.1_p9

dev-java/java-config: 2.1.11-r2

dev-lang/python:     2.6.6-r1, 3.1.2-r4

dev-util/ccache:     3.1.1

dev-util/cmake:      2.8.1-r2

sys-apps/baselayout: 2.0.1-r1

sys-apps/openrc:     0.6.5

sys-apps/sandbox:    2.3-r1

sys-devel/autoconf:  2.13, 2.68

sys-devel/automake:  1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1

sys-devel/binutils:  2.20.1-r1

sys-devel/gcc:       4.4.5, 4.5.1-r1

sys-devel/gcc-config: 1.4.1

sys-devel/libtool:   2.4

sys-devel/make:      3.82

virtual/os-headers:  2.6.36 (sys-kernel/linux-headers)

ACCEPT_KEYWORDS="x86 ~x86"

ACCEPT_LICENSE="* -@EULA dlj-1.1 Attica"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-march=core2 -fomit-frame-pointer -pipe -O2 -mno-tls-direct-seg-refs"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc /etc/libvirt/libvirtd.conf /etc/xen/xend-config.sxp /etc/xen/xm-xonfig.sxp /usr/share/config"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo"

CXXFLAGS="-march=core2 -fomit-frame-pointer -pipe -O2 -mno-tls-direct-seg-refs"

DISTDIR="/mnt/gentoo/distfiles"

EMERGE_DEFAULT_OPTS="--jobs=5 --load-average=3.4"

FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"

GENTOO_MIRRORS="ftp://ftp.swin.edu.au/gentoo/ ftp://mirror.pacific.net.au/linux/Gentoo ftp://mirror.isp.net.au/pub/gentoo/  http://mirror.isp.net.au/pub/gentoo/ http://mirror.averse.net/pub/gentoo/"

LANG="en_AU.UTF-8"

LDFLAGS="-Wl,-O2,--as-needed"

LINGUAS="en"

MAKEOPTS="-j4"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp/portage"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/local/portage"

SYNC="rsync://rsync.au.gentoo.org/gentoo-portage"

USE="(-altivec) (-aqua) (-cman) (-corefonts%*) (-cups) (-debug%) (-doc%) (-faad%) (-fixed-point) (-gallium) (-gold%) (-google-gadgets) (-hardened) (-iceweasel%) (-introspection) (-ioctl) (-kdeenablefinal) (-kdeprefix) (-libffi) (-libsigsegv%) (-mozdevelop%) (-multilib) (-n32) (-n64) (-nocxx%) (-one%) (-pango%) (-pkcs11%) (-ppcsha1) (-ps3) (-python%*) (-real) (-seamonkey%) (-selinux) (-smartcard%) (-sqlite%) (-uclibc) (-vdpau) (-vfs-compat%*) (-vis) (wide-unicode) 3dnowext X a5 aac acl acpi aio alsa apm armeb arts audiofile avi bash-completion berkdb blksha1 bluetooth bmp bzip2 bzip2%* cairo cairo%* cdparanoia cdr cli client%* consolekit corefonts cpudetection cracklib cris crypt css ctype cups cups%* cxx cxx%* dba dbmaker dbus dga dhcp dri dts dv dvd dvdread encode esd eselect ethereal exif extras fam fbcon ffmpeg fftw fftw* firefox flac fortran ftp fts3 gdbm gif gnome gnutls gphoto gpm gprof gstreamer gtk gtk%* gtk2 hal hal%* handbook hardcoded-tables http%* i386 iconv imagemagick inifile ioctl ipc ipc%* java jpeg kde kontact ladcca lcms lcms* ldap libg++ libnotify libvirtd lm_sensors lxc m3 mad mbox mdev%* microblaze mime mips64 mips64el mipsel mmap mmxext mng modplug modules mono mozilla mp3 mpeg msn mudflap musepack mysql ncurses net netapi network nls nptl nptlonly ogg openal opengl openmp oss pam pcre perl perl%* pm-utils png png%* pnp posix ppc64abi32 ppcemb pppd python qdbm qt qt3support qt4 quicktime readline ruby samba sasl sasl% sasl%* scanner sdl semantic-desktop server%* session sh4 sh4eb shared slp smbclient sndfile sockets source sparc32plus sparc64 spell sql sqlite sse sse2 ssl ssse3 startup-notification static-libs static-libs%* svg svga svgtruetype sysfs tcpd theora threads tiff truetype udev udev%* urandom usb v4l videos vorbis webdav webkit webkit* websockets wifi wifi%* win32codecs x264 x86 x86_64 xcb xcb* xen xen* xine xinerama xml xml2 xorg xulrunner xv xvid zlib" ALSA_CARDS="snd_hda_intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" PHP_TARGETS="php5-2" QEMU_SOFTMMU_TARGETS="arm cris i386 m68k microblaze mips mips64 mips64el mipsel ppc ppc64 ppcemb sh4 sh4eb sparc sparc64 x86_64" QEMU_USER_TARGETS="alpha arm armeb cris i386 m68k microblaze mips mipsel ppc ppc64 ppc64abi32 sh4 sh4eb sparc sparc32plus sparc64 x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev nouveau vesa v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 

Unset:  CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

```

Hmmm, it's picked up the running kernel in karmic, which was somewhat an accident.  Just consider,

```

karmic / # ls /boot

-2.6.34-zen1                  fbsplash-gentoo-1600x1200         kernel-2.6.36-hardened-r2

boot                          fbsplash-livecd-2007.0-1024x768   kernel-2.6.36-tuxonice

config-2.6.31-gentoo-r6       fbsplash-livecd-2007.0-1600x1200  kernel-2.6.37-rc2

config-2.6.34-hardened-r1     fbsplash-Morphix-1024x768         mbr

config-2.6.34-hardened-r6     fbsplash-ThinkLinux-1024x768      old

config-2.6.34-zen1            grub                              spare

config-2.6.35                 initrd.img-2.6.34-hardened-r1     System.map-2.6.34-gentoo-r1

config-2.6.35-gentoo          initrd.img-2.6.34-zen1            System.map-2.6.34-hardened-r6

config-2.6.35-zen2            initrd.img-2.6.35-gentoo          System.map-2.6.35-zen2

config-2.6.35-zen2-test       kernel-2.6.34-hardened-r1         System.map-2.6.36

config-2.6.36                 kernel-2.6.34-hardened-r6         System.map-2.6.36-gentoo-r1

config-2.6.36-gentoo-r1       kernel-2.6.34-zen1                System.map-2.6.36-hardened-r2

config-2.6.36-hardened-r2     kernel-2.6.35                     System.map-2.6.36-tuxonice

config-2.6.36-tuxonice        kernel-2.6.35-gentoo              System.map-2.6.37-rc2

config-2.6.37-rc2             kernel-2.6.35-zen2                System.mapg-2.6.35-gentoo

fbsplash-DebBlue-1024x768     kernel-2.6.35-zen2-test           xen

fbsplash-DebBlue-1600x1200    kernel-2.6.36

fbsplash-Emergance-1600x1200  kernel-2.6.36-gentoo-r1

```

and there are more under /old

Now this is genny.  I also have 

```

karmic / # ls -ld /mnt/gentoo64/

drwxr-xr-x 2 root root 48 Jan 19  2010 /mnt/gentoo64/

```

From here I have to reboot into gentoo64 or any 64 system to chroot to get the emerge info, but I wouldn't think it's required.  This 32 genny has already had the profile set to hardened and updated & recompiled world * recompiled system with the hardened profile.  However, you have introduced another clue as to what is probably lacking.

 *Quote:*   

> 
> 
> ali3n@gateway ~ $ gcc-config -l
> 
> [1] x86_64-pc-linux-gnu-4.4.4 *
> ...

 

```

karmic / # gcc-config -l

 [1] i686-pc-linux-gnu-4.4.5

 [2] i686-pc-linux-gnu-4.5.1 *

```

The timing is fortunate.  I have just switched to the newer gcc, but habe not yet used it and was just about to,  So how do I invoke a hardened profile on a gcc.  I was hoping this would occur by the recompiling of under the hardened profile to invoke it.  Clearly not so, since you have created your 3 types of hardend gcc profile.  

Up to this point, the system whether stable or testing or unstable has never been an issue, so I know little re its implication.  It's never come up

ali3nx

you're giving me epilepsy again & you have disappeared on me.  I made a breakthrough you'll be happy to know I'm sure.

It appears that the policy clobbered emerge by clobbering the user.  It tool until now ti actually resume the emerge as -a admin, didn't think of it before.  So the question now is how to make the policy that allows a user to emerge, but then, as long as I can do it as admin, at least I can,  but I'm sure the idea is to delineated roles and access of applications to selected users.

Shall keep at it, needed that breakthrough

await next.

----------

