# [Solved]Grsec: There were 1 holes found in your RBAC conf...

## bedtime

I'm trying to setup my RBAC configuration. I am able to activate learn mode and stop it, but upon trying to enable gradm with 'gradm -E' I get the message:

```
There were 1 holes found in your RBAC configuration.
```

I tried removing the profile file in in /etc/grsec/ as this seemed to work for another member on this board, but it did not work for me.

Here is what I'm doing:

```

tux grsec # gradm -F -L /etc/grsec/learning.log

```

I open thunderbird and check my mail.

I open a terminal and run 'top.'

I open a document in libreoffice.

I open thunar and open an image in feh.

And then I execute:

```
tux grsec # gradm -F -L /etc/grsec/learning.log

tux grsec # gradm -D                           

Password: 

tux grsec # gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.roles

Beginning full learning 1st pass...done.

Beginning full learning role reduction...done.

Beginning full learning 2nd pass...done.

Beginning full learning subject reduction for user polkitd...done.

Beginning full learning subject reduction for user messagebus...done.

Beginning full learning subject reduction for user root...done.

Beginning full learning subject reduction for user andre...done.

Beginning full learning object reduction for subject /...done.

Beginning full learning object reduction for subject /usr/bin/dbus-daemon...done.

Beginning full learning object reduction for subject /usr/libexec/dbus-daemon-launch-helper...done.

Beginning full learning object reduction for subject /...done.

Beginning full learning object reduction for subject /bin/bash...done.

Beginning full learning object reduction for subject /bin/busybox...done.

Beginning full learning object reduction for subject /bin/login...done.

Beginning full learning object reduction for subject /bin/nano...done.

Beginning full learning object reduction for subject /bin/rm...done.

Beginning full learning object reduction for subject /bin/sed...done.

Beginning full learning object reduction for subject /etc/init.d...done.

Beginning full learning object reduction for subject /sbin/agetty...done.

Beginning full learning object reduction for subject /sbin/init...done.

Beginning full learning object reduction for subject /sbin/openrc...done.

Beginning full learning object reduction for subject /sbin/shutdown...done.

Beginning full learning object reduction for subject /sbin/udevd...done.

Beginning full learning object reduction for subject /usr/lib64/ConsoleKit/ck-collect-session-info...done.

Beginning full learning object reduction for subject /usr/lib64/ConsoleKit/ck-remove-directory...done.

Beginning full learning object reduction for subject /usr/lib64/ConsoleKit/run-session.d/pam-foreground-compat.ck...done.

Beginning full learning object reduction for subject /usr/lib64/ConsoleKit/udev-acl...done.

Beginning full learning object reduction for subject /usr/libexec/udisks2/udisksd...done.

Beginning full learning object reduction for subject /usr/sbin/console-kit-daemon...done.

Beginning full learning object reduction for subject /...done.

Beginning full learning object reduction for subject /bin/hostname...done.

Beginning full learning object reduction for subject /bin/su...done.

Beginning full learning object reduction for subject /usr/bin/Xorg...done.

Beginning full learning object reduction for subject /usr/bin/ck-launch-session...done.

Beginning full learning object reduction for subject /usr/bin/fusermount...done.

Beginning full learning object reduction for subject /usr/bin/irssi...done.

Beginning full learning object reduction for subject /usr/bin/thunar...done.

Beginning full learning object reduction for subject /usr/bin/tint2...done.

Beginning full learning object reduction for subject /usr/bin/top...done.

Beginning full learning object reduction for subject /usr/lib64/ConsoleKit/ck-remove-directory...done.

Beginning full learning object reduction for subject /usr/lib64/firefox/firefox...done.

Beginning full learning object reduction for subject /usr/lib64/libreoffice/program/oosplash...done.

Beginning full learning object reduction for subject /usr/lib64/libreoffice/program/soffice.bin...done.

Beginning full learning object reduction for subject /usr/lib64/thunderbird/thunderbird...done.

Beginning full learning object reduction for subject /usr/libexec/dconf-service...done.

Beginning full learning object reduction for subject /usr/libexec/gnome-pty-helper...done.

Beginning full learning object reduction for subject /usr/libexec/gvfs-udisks2-volume-monitor...done.

Beginning full learning object reduction for subject /usr/libexec/gvfsd-metadata...done.

Full learning complete.

tux grsec # mv /etc/grsec/learning.roles /etc/grsec/policy

tux grsec # chmod 0600 /etc/grsec/policy
```

At this point, if I did everything correctly (which I obviously have not) then I should be able to activate gradm:

```
tux grsec # gradm -E

Viewing access is allowed by role root to /etc/grsec, the directory which stores RBAC policies and RBAC password information.

Warning: permission for symlink /sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/block/sda/sda4/subsystem in role andre, subject /usr/libexec/gvfsd-metadata does not match that of its matching target object /sys.  Symlink is specified on line 1563 of /etc/grsec/policy.

Warning: permission for symlink /sys/dev/block/8:4 in role andre, subject /usr/libexec/gvfsd-metadata does not match that of its matching target object /sys.  Symlink is specified on line 1562 of /etc/grsec/policy.

Warning: permission for symlink /proc/self in role andre, subject /usr/libexec/gvfs-udisks2-volume-monitor does not match that of its matching target object /proc.  Symlink is specified on line 1530 of /etc/grsec/policy.

Warning: permission for symlink /sys/devices/pci0000:00/0000:00:02.0/subsystem in role andre, subject /usr/lib64/thunderbird/thunderbird does not match that of its matching target object /sys.  Symlink is specified on line 1417 of /etc/grsec/policy.

Warning: permission for symlink /sys/devices/pci0000:00/0000:00:02.0/subsystem in role andre, subject /usr/lib64/libreoffice/program/soffice.bin does not match that of its matching target object /sys.  Symlink is specified on line 1344 of /etc/grsec/policy.

Warning: permission for symlink /proc/self in role andre, subject /usr/bin/thunar does not match that of its matching target object /proc.  Symlink is specified on line 1100 of /etc/grsec/policy.

Warning: permission for symlink /etc/mtab in role andre, subject /usr/bin/fusermount does not match that of its matching target object /proc.  Symlink is specified on line 995 of /etc/grsec/policy.

Warning: permission for symlink /sys/dev/block/8:4 in role andre, subject / does not match that of its matching target object /sys.  Symlink is specified on line 835 of /etc/grsec/policy.

Warning: permission for symlink /proc/self in role andre, subject / does not match that of its matching target object /proc.  Symlink is specified on line 830 of /etc/grsec/policy.

Warning: permission for symlink /dev/disk/by-uuid/becb2a0d-5220-4956-af37-49259a312fb5 in role root, subject /sbin/udevd does not match that of its matching target object /dev/sda3.  Symlink is specified on line 555 of /etc/grsec/policy.

Warning: permission for symlink /dev/disk/by-partuuid/cf099461-61d5-4bab-a54c-34c635191ddd in role root, subject /sbin/udevd does not match that of its matching target object /dev/sda3.  Symlink is specified on line 553 of /etc/grsec/policy.

Warning: permission for symlink /dev/disk/by-partlabel/swap in role root, subject /sbin/udevd does not match that of its matching target object /dev/sda3.  Symlink is specified on line 551 of /etc/grsec/policy.

Warning: permission for symlink /dev/disk/by-id/wwn-0x6160467386337087488x-part3 in role root, subject /sbin/udevd does not match that of its matching target object /dev/sda3.  Symlink is specified on line 549 of /etc/grsec/policy.

Warning: permission for symlink /dev/disk/by-id/ata-ST320LT020-9YG142_W04B36WM-part3 in role root, subject /sbin/udevd does not match that of its matching target object /dev/sda3.  Symlink is specified on line 548 of /etc/grsec/policy.

Warning: permission for symlink /dev/block/8:3 in role root, subject /sbin/udevd does not match that of its matching target object /dev/sda3.  Symlink is specified on line 544 of /etc/grsec/policy.

[b]There were 1 holes found in your RBAC configuration.  These must be fixed before the RBAC system will be allowed to be enabled.

[/b]
```

I'm not sure what I'm going wrong here. It says that the system should be used for a day to be properly done, but I'm unwilling to waste a day to have the same error.

I also tried in /etc/grsec/:

```
tux grsec # ls

learn_config  learning.log  policy  pw

tux grsec # cat learn

learn_config  learning.log  

tux grsec # cat learn-config

cat: learn-config: No such file or directory

tux grsec # cd learn-config

bash: cd: learn-config: No such file or directory

tux grsec # rm learn-config

rm: cannot remove 'learn-config': No such file or directory

tux grsec # 
```

Any suggestions?

*** Solved ***

Here is what worked for me:

```
# emerge --ask --unmerge sys-apps/gradm
```

```
# rm /etc/grsec/learn-config

# rm /etc/grsec/learning.log

# rm /etc/grsec/policy
```

```
emerge --ask --verbose emerge --ask sys-apps/gradm
```

And I just repeated the steps as stated in:

https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart#Working_with_gradm

Hope that helps somebody else!  :Smile: 

----------

## bedtime

Firstly, my last post has a mistake in it:

 *Quote:*   

> 
> 
> ```
> emerge --ask --verbose emerge --ask sys-apps/gradm
> ```
> ...

 

...and it should be:

```
emerge --ask sys-apps/gradm
```

I switched my gcc config to 'i686-pc-linux-gnu-4.5.3-hardenednopiessp,' and I'm not exactly sure if that was the right choice (if anyone knows, please fill me in), but upon running an 'emerge --emptytree --verbose @world,' the system wanted to update 500+ files.

Is this normal?

I followed these directions below with the exception that I did compiled the kernel first, not last, as the instructions said:

https://wiki.gentoo.org/wiki/Hardened_Gentoo

All-in-all, the system is working great, and I am able to run gradm just fine.

----------

## Hu

That is definitely not the right gcc.  First, it turns off two useful hardening features.  Second, there is no way that a current system should still have that gcc version available.  Please post the output of emerge --info ; gcc-config -l ; binutils-config -l ; eselect kernel list.

----------

## bedtime

 *Hu wrote:*   

> That is definitely not the right gcc.  First, it turns off two useful hardening features.  Second, there is no way that a current system should still have that gcc version available.  Please post the output of emerge --info ; gcc-config -l ; binutils-config -l ; eselect kernel list.

 

I think it's the old config from when I first installed the system.

Here is the info:

```
@tux ~ $ emerge --info

Portage 2.3.5 (python 3.4.5-final-0, hardened/linux/amd64, gcc-5.4.0, glibc-2.23-r3, 4.8.17-hardened-r2-gnu x86_64)

=================================================================

System uname: Linux-4.8.17-hardened-r2-gnu-x86_64-Intel-R-_Core-TM-_i3-3120M_CPU_@_2.50GHz-with-gentoo-2.3

KiB Mem:     3745768 total,    862904 free

KiB Swap:     524284 total,    523940 free

Timestamp of repository gentoo: Mon, 22 May 2017 12:00:01 +0000

sh bash 4.3_p48-r1

ld GNU ld (Gentoo 2.26.1 p1.0) 2.26.1

app-shells/bash:          4.3_p48-r1::gentoo

dev-lang/perl:            5.24.1-r1::gentoo

dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo

dev-util/cmake:           3.7.2::gentoo

dev-util/pkgconfig:       0.28-r2::gentoo

sys-apps/baselayout:      2.3::gentoo

sys-apps/openrc:          0.26.2::gentoo

sys-apps/sandbox:         2.10-r3::gentoo

sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo

sys-devel/automake:       1.15-r2::gentoo

sys-devel/binutils:       2.26.1::gentoo

sys-devel/gcc:            5.4.0-r3::gentoo

sys-devel/gcc-config:     1.7.3::gentoo

sys-devel/libtool:        2.4.6-r3::gentoo

sys-devel/make:           4.2.1::gentoo

sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)

sys-libs/glibc:           2.23-r3::gentoo

Repositories:

gentoo

    location: /usr/portage

    sync-type: rsync

    sync-uri: rsync://rsync.gentoo.org/gentoo-portage

    priority: -1000

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=ivybridge -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-march=ivybridge -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FCFLAGS="-O2 -pipe"

FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"

FFLAGS="-O2 -pipe"

GENTOO_MIRRORS="http://mirrors.telepoint.bg/gentoo/ http://mirror.dkm.cz/gentoo/ https://mirror.dkm.cz/gentoo/ http://gentoo.mirror.web4u.cz/ http://trumpetti.atm.tut.fi/gentoo/ http://gentoo.modulix.net/gentoo/ http://gentoo.mirrors.ovh.net/gentoo-distfiles/ http://mirrors.soeasyto.com/distfiles.gentoo.org/ http://mirror.netcologne.de/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://ftp.halifax.rwth-aachen.de/gentoo/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/ http://files.gentoo.gr http://ftp.ntua.gr/pub/linux/gentoo/"

LANG="en_US"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j4"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"

PORTAGE_TMPDIR="/var/tmp"

USE="X acl alsa amd64 berkdb bzip2 cli consolekit cracklib crypt cxx dbus deblob dri gdbm hardened hwaccel iconv ipv6 justify modules multilib ncurses nls nptl openmp pam pax_kernel pcre pie readline seccomp session ssl ssp svg symlink tcpd unicode urandom xattr xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx sse sse2 mmxext" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21 ruby22" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
```

```
gcc-config -l

 [1] x86_64-pc-linux-gnu-5.4.0 *

 [2] x86_64-pc-linux-gnu-5.4.0-hardenednopie

 [3] x86_64-pc-linux-gnu-5.4.0-hardenednopiessp

 [4] x86_64-pc-linux-gnu-5.4.0-hardenednossp

 [5] x86_64-pc-linux-gnu-5.4.0-vanilla
```

I should add that I selected and used option [1], which I found out has pie and ssp, after having found out what they do.

```
binutils-config -l

 [1] x86_64-pc-linux-gnu-2.26.1l
```

```
eselect kernel list

Available kernel symlink targets:

  [1]   linux-4.8.17-hardened-r2 *

  [2]   linux-4.9.16-gentoo
```

[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]

----------

## Hu

That output is inconsistent with your earlier post.  I responded because you mentioned gcc-4.5.3, which is severely outdated.  Your most recent output mentions gcc-5.4.0, which is reasonably current.  All your other output looks similarly current and correct.  Did the bulk rebuild really move you from gcc-4.5.3 to gcc-5.4.0 or was that a typo earlier?

----------

## bedtime

 *Hu wrote:*   

> That output is inconsistent with your earlier post.  I responded because you mentioned gcc-4.5.3, which is severely outdated.  Your most recent output mentions gcc-5.4.0, which is reasonably current.  All your other output looks similarly current and correct.  Did the bulk rebuild really move you from gcc-4.5.3 to gcc-5.4.0 or was that a typo earlier?

 

All I know is that I copied it from the terminal to the post, so it's likely to be correct, but it is now running and compiling hardened without error, so whatever it was, it seems to be working fine. Perhaps something was holding it back?

Does seem like a huge jump though.   :Confused: 

----------

