# /dev/grsec is missing

## KintaroBC

I am having problems using gradm, because /dev/gradm is missing. 

It appears if I use udev but that is causing more problems, just as /dev/pts not working for mysterious reasons.

I've not made a device node in a long time so I'm not sure how to create /dev/gradm myself. There must be something I've missed in the documentation for Hardened Gentoo. Though I can't find much on Google that is any help.

I managed to create the device node but it just disappeared after gradm -E was used.

```

gentoo ~ # mknod -m 500 /dev/grsec c 1 13

gentoo ~ # gradm -P

Setting up grsecurity RBAC password

Password: 

Re-enter Password: 

Password written to /etc/grsec/pw.

gentoo ~ # gradm -E

No password exists for special role admin.

Run gradm -P admin to set up a password for the role.

gentoo ~ # gradm -P admin

Setting up password for role admin

Password: 

Re-enter Password: 

Password written to /etc/grsec/pw.

gentoo ~ # gradm -E

gentoo ~ # gradm -F -L /etc/grsec/learning.log

Could not open /dev/grsec.

open: Permission denied

gentoo ~ # mknod -m 500 /dev/grsec c 1 13

mknod: ‘/dev/grsec’: No such file or directory

```

This is very strange, why isn't any of this documented?Last edited by KintaroBC on Mon Feb 17, 2014 7:26 pm; edited 1 time in total

----------

## KintaroBC

I've got some more information, after a reboot /dev/gradm was there. Upon running gradm -E an error appears in /var/log/messages and numerous things break.

```

Feb 16 22:40:56 gentoo kernel: [  659.863486] grsec: From 192.168.0.3: (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0

```

Some programs work after this, some don't. I noticed dmesg doesn't work.

```

Feb 16 22:41:11 gentoo kernel: [  675.264164] grsec: From 192.168.0.3: (default:D:/) use of CAP_SYSLOG denied for /bin/dmesg[dmesg:3316] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0

```

It seems grsec is denying gradm.Last edited by KintaroBC on Mon Feb 17, 2014 7:25 pm; edited 1 time in total

----------

## John R. Graham

Moved from Kernel & Hardware to Networking & Security as requested by the OP.

- John

----------

## KintaroBC

This is very strange, I've just noticed that after I've ran "grsec -E" that /etc/grsec ends up missing, along with lots of other stuff. I really need help here, there is nothing on the Grsecurity2 page on the Wiki that explains any of this.

I tried adding /sbin/gradm to /etc/grsec/policy but I get errors, and I think I need to do more than this. It stands to reason that the default policy at this point is broken.

```

subject /sbin/gradm

        /etc/grsec rw

        +CAP_DAC_OVERRIDE

```

It says the subject is duplicate, but I'm really not sure why, considering I've searched for /sbin/gradm in their and it found nothing. Some other subject must apply to the file, but I have no idea which one.

Here is /etc/grsec/policy

```

define grsec_denied {

        /boot           h

        /dev/grsec      h

        /dev/kmem       h

        /dev/mem        h

        /dev/port       h

        /etc/grsec      h

        /proc/kcore     h

        /proc/slabinfo  h

        /proc/modules   h

        /proc/kallsyms  h

        # hide and suppress logs about accessing this path

        /lib/modules    hs

        /lib32/modules  hs

        /lib64/modules  hs

        /etc/ssh        h

}

# usage:

# $grsec_denied

role shutdown sARG

subject / rvka

        /

        /dev

        /dev/urandom    r

        /dev/random     r

        /etc            r

        /bin            rx

        /sbin           rx

        /lib            rx

        /lib32          rx

        /libx32         rx

        /lib64          rx

        /usr            rx

        /proc r

        $grsec_denied

        -CAP_ALL

        connect disabled

        bind disabled

subject /sbin/init rvkao

        / rwcdmlxi

subject /sbin/halt rvkao

        / rwcdmlxi

        /dev/initctl rwf

        /run/initctl rwf

subject /sbin/shutdown rvkao

        / rwcdmlxi

        /dev/initctl rwf

        /run/initctl rwf

# Make sure to unauthenticate with gradm -u from

# the admin role after restarting a service

# The service started will run with admin

# privileges until you run gradm -u or your shell exits

role admin sA

subject / rvka

        / rwcdmlxi

role default G

role_transitions admin shutdown

subject /

        /               r

        /opt            rx

        /home           rwxcd

        /mnt            rw

        /dev

        /dev/urandom    r

        /dev/random     r

        /dev/zero       rw

        /dev/input      rw

        /dev/psaux      rw

        /dev/null       rw

        /dev/tty?       rw

        /dev/console    rw

        /dev/tty        rw

        /dev/pts        rw

        /dev/ptmx       rw

        /dev/dsp        rw

        /dev/mixer      rw

        /dev/initctl    rw

        /dev/fd0        r

        /dev/cdrom      r

        /bin            rx

        /sbin           rx

        /lib            rx

        /lib32          rx

        /libx32         rx

        /lib64          rx

        /usr            rx

# compilation of kernel code should be done within the admin role

        /usr/src        h

        /etc            rx

        /proc           rwx

        /proc/sys       r

        /sys            h

        /root           r

        /run            r

        /tmp            rwcd

        /var            rwxcd

        /var/tmp        rwcd

        /var/log        r

# hide the kernel images and modules

        $grsec_denied

# if sshd needs to be restarted, it can be done through the admin role

# restarting sshd should be followed immediately by a gradm -u

        /usr/sbin/sshd

        -CAP_KILL

        -CAP_SYS_TTY_CONFIG

        -CAP_LINUX_IMMUTABLE

        -CAP_NET_RAW

        -CAP_MKNOD

        -CAP_SYS_ADMIN

        -CAP_SYS_RAWIO

        -CAP_SYS_MODULE

        -CAP_SYS_PTRACE

        -CAP_NET_ADMIN

        -CAP_NET_BIND_SERVICE

        -CAP_NET_RAW

        -CAP_SYS_CHROOT

        -CAP_SYS_BOOT

        -CAP_SETFCAP

        -CAP_SYSLOG

#       RES_AS 100M 100M

#       connect 192.168.1.0/24:22 stream tcp

#       bind    0.0.0.0 stream dgram tcp udp

# the d flag protects /proc fd and mem entries for sshd

# all daemons should have 'p' in their subject mode to prevent

# an attacker from killing the service (and restarting it with trojaned

# config file or taking the port it reserved to run a trojaned service)

subject /usr/sbin/sshd dpo

        /

        /*              h

        /bin/bash       x

        /dev            h

        /dev/log        rw

        /dev/random     r

        /dev/urandom    r

        /dev/null       rw

        /dev/ptmx       rw

        /dev/pts        rw

        /dev/tty        rw

        /dev/tty?       rw

        /etc            r

        /etc/grsec      h

        /home

        /home/*/.ssh/authorized_keys r

        /lib            rx

        /lib32          rx

        /libx32         rx

        /lib64          rx

        /root

        /proc           r

        /proc/*/oom_adj rw

        /proc/kcore     h

        /proc/sys       h

        /proc/sys/kernel/ngroups_max r

        /selinux        r

        /usr/lib        rx

        /usr/lib32      rx

        /usr/libx32     rx

        /usr/lib64      rx

        /usr/share/zoneinfo r

        /var/log

        /var/mail

        /var/log/lastlog        rw

        /var/log/wtmp           w

        /var/run

        /run

        /var/run/sshd

        /var/run/utmp           rw

        /var/run/utmpx          rw

        /var/run/.nscd_socket   rw

        -CAP_ALL

        +CAP_CHOWN

        +CAP_SETGID

        +CAP_SETUID

        +CAP_SYS_CHROOT

        +CAP_SYS_RESOURCE

        +CAP_SYS_TTY_CONFIG

        +CAP_AUDIT_WRITE

        # to access user keys

        +CAP_DAC_OVERRIDE

subject /usr/X11R6/bin/Xorg

        /dev/mem        rw

        +CAP_SYS_ADMIN

        +CAP_SYS_TTY_CONFIG

        +CAP_SYS_RAWIO

subject /usr/X11R6/bin/XFree86

        /dev/mem        rw

        +CAP_SYS_ADMIN

        +CAP_SYS_TTY_CONFIG

        +CAP_SYS_RAWIO

        -PAX_SEGMEXEC

        -PAX_PAGEEXEC

        -PAX_MPROTECT

subject /usr/bin/ssh

        /etc/ssh/ssh_config r

subject /usr/bin/postgres

        /dev/log rw

subject /usr/bin/exim

        /dev/log rw

subject /sbin/klogd

        +CAP_SYS_ADMIN

subject /sbin/syslog-ng

        +CAP_SYS_ADMIN

subject /usr/sbin/rsyslogd

        +CAP_SYS_ADMIN

subject /usr/sbin/cron

        /dev/log rw

subject /usr/sbin/crond

        /dev/log rw

subject /bin/login

        /dev/log rw

        /var/log/wtmp w

        /var/log/faillog rwcd

subject /bin/su

        /dev/log rw

subject /usr/bin/sudo

        /dev/log rw

subject /sbin/getty

        /var/log/wtmp w

subject /sbin/init

        /var/log/wtmp w

subject /usr/bin/xauth

        /home r

        /home/*/.Xauthority-* rwcdl

subject /sbin/gradm

        /etc/grsec rw

        +CAP_DAC_OVERRIDE

# prevent ld.so breakouts of subjects with /lib rx

# many distros clutter up /lib with shell scripts

# that can be easily hijacked for malicious purposes

subject /lib o

        / h

        -CAP_ALL

        connect disabled

        bind disabled

subject /lib/ld-linux.so.2 o

        / h

        -CAP_ALL

        connect disabled

        bind disabled

subject /lib64/ld-linux-x86-64.so.2 o

        / h

        -CAP_ALL

        connect disabled

        bind disabled

```

It might all be related to the options I've turned on configuring the kernel. 

```

CONFIG_GRKERNSEC=y

# CONFIG_GRKERNSEC_CONFIG_AUTO is not set

CONFIG_GRKERNSEC_CONFIG_CUSTOM=y

CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101

CONFIG_GRKERNSEC_KMEM=y

CONFIG_GRKERNSEC_IO=y

CONFIG_GRKERNSEC_PERF_HARDEN=y

CONFIG_GRKERNSEC_RAND_THREADSTACK=y

CONFIG_GRKERNSEC_PROC_MEMMAP=y

CONFIG_GRKERNSEC_BRUTE=y

CONFIG_GRKERNSEC_MODHARDEN=y

CONFIG_GRKERNSEC_HIDESYM=y

CONFIG_GRKERNSEC_KERN_LOCKOUT=y

# CONFIG_GRKERNSEC_NO_RBAC is not set

CONFIG_GRKERNSEC_ACL_HIDEKERN=y

CONFIG_GRKERNSEC_ACL_MAXTRIES=3

CONFIG_GRKERNSEC_ACL_TIMEOUT=60

CONFIG_GRKERNSEC_PROC=y

CONFIG_GRKERNSEC_PROC_USER=y

CONFIG_GRKERNSEC_PROC_ADD=y

CONFIG_GRKERNSEC_LINK=y

# CONFIG_GRKERNSEC_SYMLINKOWN is not set

CONFIG_GRKERNSEC_FIFO=y

CONFIG_GRKERNSEC_SYSFS_RESTRICT=y

# CONFIG_GRKERNSEC_ROFS is not set

CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y

CONFIG_GRKERNSEC_CHROOT=y

CONFIG_GRKERNSEC_CHROOT_MOUNT=y

CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

CONFIG_GRKERNSEC_CHROOT_PIVOT=y

CONFIG_GRKERNSEC_CHROOT_CHDIR=y

CONFIG_GRKERNSEC_CHROOT_CHMOD=y

CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

CONFIG_GRKERNSEC_CHROOT_MKNOD=y

CONFIG_GRKERNSEC_CHROOT_SHMAT=y

CONFIG_GRKERNSEC_CHROOT_UNIX=y

CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

CONFIG_GRKERNSEC_CHROOT_NICE=y

CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

CONFIG_GRKERNSEC_CHROOT_CAPS=y

CONFIG_GRKERNSEC_AUDIT_GROUP=y

CONFIG_GRKERNSEC_AUDIT_GID=100

CONFIG_GRKERNSEC_EXECLOG=y

CONFIG_GRKERNSEC_RESLOG=y

CONFIG_GRKERNSEC_CHROOT_EXECLOG=y

CONFIG_GRKERNSEC_AUDIT_PTRACE=y

CONFIG_GRKERNSEC_AUDIT_CHDIR=y

CONFIG_GRKERNSEC_AUDIT_MOUNT=y

CONFIG_GRKERNSEC_SIGNAL=y

CONFIG_GRKERNSEC_FORKFAIL=y

CONFIG_GRKERNSEC_TIME=y

CONFIG_GRKERNSEC_PROC_IPADDR=y

CONFIG_GRKERNSEC_RWXMAP_LOG=y

CONFIG_GRKERNSEC_DMESG=y

CONFIG_GRKERNSEC_HARDEN_PTRACE=y

CONFIG_GRKERNSEC_PTRACE_READEXEC=y

# CONFIG_GRKERNSEC_SETXID is not set

CONFIG_GRKERNSEC_TPE=y

CONFIG_GRKERNSEC_TPE_ALL=y

# CONFIG_GRKERNSEC_TPE_INVERT is not set

CONFIG_GRKERNSEC_TPE_GID=101

CONFIG_GRKERNSEC_RANDNET=y

CONFIG_GRKERNSEC_BLACKHOLE=y

CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y

# CONFIG_GRKERNSEC_SOCKET is not set

# CONFIG_GRKERNSEC_DENYUSB is not set

CONFIG_GRKERNSEC_SYSCTL=y

# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set

CONFIG_GRKERNSEC_SYSCTL_ON=y

# CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set

CONFIG_GRKERNSEC_FLOODTIME=10

CONFIG_GRKERNSEC_FLOODBURST=6

```

----------

