"gradm -E" produced the following error: Duplicate object found for "/lib64" in role default, subject /sbin/gradm, on line 123 of /etc/grsec/policy. "/lib64" references the same object as the following object(s): /lib /lib64 specified on an earlier line.The RBAC system will not load until this error is fixed. Reproducible: Always Steps to Reproduce: 1.gradm -E 2. 3. Expected Results: "run gradm -P admin to...." I have used hardened-dev-sources and used the following in /etc/make.conf : CFLAGS="-march=k8 -pipe -O2 -fforce-addr" USE="berkdb crypt hardened ncurses nls pam perl pie pic python tcltk readline ssl" I tested gradm on a x86 also with hardened-dev-sources and the only thing i had to fix was /etc/security/paswd being not present.
This has nothing to do with keychain
Changing product to 'Gentoo Linux' and assigning to Gentoo/Hardened.
I have tried to change the same with a somewhat different setup: emerge --info Portage 2.0.51.22-r2 (default-linux/amd64/2005.1, gcc-3.4.4, glibc-2.3.5-r1, 2.6.11-hardened-r15 x86_64) ================================================================= System uname: 2.6.11-hardened-r15 x86_64 AMD Athlon(tm) 64 Processor 3000+ Gentoo Base System version 1.12.0_pre6 dev-lang/python: 2.3.5, 2.4.1-r1 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-mtune=k8 -O2 -pipe -fPIC -fstack-protector" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-mtune=k8 -O2 -pipe -fPIC -fstack-protector" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X a52 aac aalib alsa audiofile avi berkdb bitmap-fonts cdparanoia cdr cdrom clamav cracklib crypt cups curl dts dvd dvdr eds encode esd fam fame foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 hardened imlib ipv6 jpeg kde lzw lzw-tiff mad mp3 mpeg ncurses nls opengl pam pam_chroot pam_console pam_timestamp pdflib perl pic png python qt quicktime readline sdl sndfile speex spell ssl tcpd tiff truetype-fonts type1-fonts usb userlocales xine xml xml2 xpm xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTDIR_OVERLAY gradm -E now gives a segmentation fault gradm -F -L /etc/grsec/learning.log gives the following error message: Duplicate object found for "/lib64" in role default, subject /sbin/gradm, on line 1 of (null). "/lib64" references the same object as the following object(s): /lib /lib64 specified on an earlier line.The RBAC system will not load until this error is fixed. I tweaked the policy default policy after being fed up with the error messages: #role admin sA #subject / rvka # / rwcdmlxi #role default G role_transitions admin subject / / r /opt rx /home rwxcd /mnt rw /dev /dev/grsec h /dev/urandom r /dev/random r /dev/zero rw /dev/input rw /dev/psaux rw /dev/null rw /dev/tty0 rw /dev/tty1 rw /dev/tty2 rw /dev/tty3 rw /dev/tty4 rw /dev/tty5 rw /dev/tty6 rw /dev/tty7 rw /dev/tty8 rw /dev/console rw /dev/tty rw /dev/pts rw /dev/ptmx rw /dev/dsp rw /dev/mixer rw /dev/initctl rw /dev/fd0 r /dev/cdrom r /dev/mem h /dev/kmem h /dev/port h /bin rx /sbin rx # /lib rx /usr rx /usr rx /etc rx /proc rwx /proc/kcore h /proc/sys r /root r /tmp rwcd /var rwxcd /var/tmp rwcd /var/log r /boot r /etc/grsec h /etc/ssh h /usr/sbin/sshd -CAP_KILL -CAP_SYS_TTY_CONFIG -CAP_LINUX_IMMUTABLE -CAP_NET_RAW -CAP_MKNOD -CAP_SYS_ADMIN -CAP_SYS_RAWIO -CAP_SYS_MODULE -CAP_SYS_PTRACE -CAP_NET_ADMIN -CAP_NET_BIND_SERVICE -CAP_SYS_CHROOT -CAP_SYS_BOOT subject /usr/sbin/sshd dpo / h /bin/bash x /dev h /dev/log rw /dev/random r /dev/urandom r /dev/null rw /dev/ptmx rw /dev/pts rw /dev/tty rw /dev/tty? rw /etc r /etc/grsec h /home # /lib rx /root /proc r /proc/kcore h /proc/sys h /usr/lib rx /usr/share/zoneinfo r /var/log /var/mail /var/log/lastlog rw /var/log/wtmp w /var/run/sshd /var/run/utmp rw -CAP_ALL +CAP_CHOWN +CAP_SETGID +CAP_SETUID +CAP_SYS_CHROOT +CAP_SYS_RESOURCE +CAP_SYS_TTY_CONFIG subject /usr/X11R6/bin/XFree86 /dev/mem rw +CAP_SYS_ADMIN +CAP_SYS_TTY_CONFIG +CAP_SYS_RAWIO subject /usr/bin/ssh /etc/ssh/ssh_config r subject /sbin/klogd +CAP_SYS_ADMIN subject /usr/sbin/cron /dev/log rw
The same here on my system: server linux-2.6.14-hardened-r3 # gradm -E Duplicate object found for "/lib64" in role default, subject /sbin/gradm, on line 132 of /etc/grsec/policy. "/lib64" references the same object as the following object(s): /lib (due to symlinking/hardlinking) /lib64 (due to symlinking/hardlinking) specified on an earlier line.The RBAC system will not load until this error is fixed. server linux-2.6.14-hardened-r3 # emerge --info Portage 2.0.53 (hardened/amd64/multilib, gcc-3.4.4, glibc-2.3.5-r2, 2.6.14-hardened-r3 x86_64) ================================================================= System uname: 2.6.14-hardened-r3 x86_64 AMD Sempron(tm) Processor 2800+ Gentoo Base System version 1.6.13 ccache version 2.3 [enabled] dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O3 -pipe -march=k8" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -pipe -march=k8" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://pandemonium.tiscali.de/pub/gentoo/ http://ftp.du.se/pub/os/gentoo http://ftp.easynet.nl/mirror/gentoo/ http://gentoo.ynet.sk/pub http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ftp.lug.ro/gentoo/ http://gentoo.zie.pg.gda.pl http://mirror.switch.ch/mirror/gentoo/" LANG="de_DE.utf8" LC_ALL="de_DE.utf8" LDFLAGS="-Wl,-O1 -Wl,--enable-new-dtags -Wl,--sort-common -Wl,--strip-all" LINGUAS="de" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acpi amd64 bash-completion bzip2 crypt cups hardened idn justify multilib ncurses nls nptl nptlonly pam perl pic python readline samba ssl tcpd udev unicode userlocales zlib linguas_de userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, PORTDIR_OVERLAY Maybe it gets fixed within a year?!
This should already be fixed in upstream cvs. Next gradm should contain this fix.
Please reopen, if this is still an issue.
Same problem on fresh installation of hardened-amd64-nomultilib. alex@localhost ~ % sudo gradm -E Duplicate object found for "/lib64" in role default, subject /, on line 259 of /etc/grsec/policy. "/lib64" references the same object as the following object(s): /lib (due to symlinking/hardlinking) /lib64 (due to symlinking/hardlinking) specified on an earlier line. The RBAC system will not load until this error is fixed.
Portage 2.1.9.42 (hardened/linux/amd64/no-multilib, gcc-4.5.2, glibc-2.11.3-r0, 2.6.36-hardened-r9-grsec x86_64) ================================================================= System uname: Linux-2.6.36-hardened-r9-grsec-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_4400+-with-gentoo-2.0.2 Timestamp of tree: Fri, 15 Apr 2011 05:45:01 +0000 app-shells/bash: 4.1_p9 dev-lang/python: 2.7.1-r1, 3.1.3-r1 dev-util/cmake: 2.8.4 sys-apps/baselayout: 2.0.2 sys-apps/openrc: 0.8.1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.65-r1 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.5.2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 sys-kernel/linux-headers: 2.6.36.1 virtual/os-headers: 0 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8-sse3 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=k8-sse3 -O2 -pipe" DISTDIR="/mnt/distfiles" FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="" GENTOO_MIRRORS="http://ftp.spline.inf.fu-berlin.de/mirrors/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://ftp.uni-erlangen.de/pub/mirro rs/gentoo http://mirror.netcologne.de/gentoo/ http://mirror.jamit.de/gentoo/" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en ru" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/tmp" PORTDIR="/usr/portage" SYNC="rsync://enigma/gentoo-portage" USE="acl amd64 berkdb bzip2 cli cracklib crypt cxx dbus dri fam fontconfig gdbm gpm hardened iconv jpeg justify mmx modules mudflap ncurses nls nptl nptlonly openmp pam pcre perl png pppd python readline session sse sse2 sse3 ssl sysfs tcpd truetype unicode urandom vim-syntax xorg zip zlib zsh-completion" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en ru" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
you must specify the ACL for the target first, otherwise gradm will report a duplicate and # ls -lsd /lib /lib32 /lib64 4 drwxr-xr-x 7 root root 4096 Apr 4 12:15 /lib 4 drwxr-xr-x 2 root root 4096 Sep 24 2010 /lib32 12 drwxr-xr-x 15 root root 12288 Apr 14 01:50 /lib64 ______________________________________________________ Portage 2.2.0_alpha30 (hardened/linux/amd64/no-multilib, gcc-4.5.2, glibc-2.13-r2, 2.6.38-hardened x86_64)
(In reply to comment #9) > you must specify the ACL for the target first, otherwise gradm will report a > duplicate > > and > > # ls -lsd /lib /lib32 /lib64 > 4 drwxr-xr-x 7 root root 4096 Apr 4 12:15 /lib > 4 drwxr-xr-x 2 root root 4096 Sep 24 2010 /lib32 > 12 drwxr-xr-x 15 root root 12288 Apr 14 01:50 /lib64 > ______________________________________________________ > > Portage 2.2.0_alpha30 (hardened/linux/amd64/no-multilib, gcc-4.5.2, > glibc-2.13-r2, 2.6.38-hardened x86_64) I don't have /lib32 and /lib is a symlink to /lib64 (AFAIK it's what no-multilib profile stands for): # ls -lsd /lib /lib64 0 lrwxrwxrwx 1 root root 5 Apr 9 01:21 /lib -> lib64 16 drwxr-xr-x 15 root root 4096 Apr 16 11:12 /lib64
(In reply to comment #10) > I don't have /lib32 and /lib is a symlink to /lib64 (AFAIK it's what > no-multilib profile stands for): > # ls -lsd /lib /lib64 > 0 lrwxrwxrwx 1 root root 5 Apr 9 01:21 /lib -> lib64 > 16 drwxr-xr-x 15 root root 4096 Apr 16 11:12 /lib64 That's correct. Although upstream has worked to remove these messages I still see them occurring. If you identify the duplicate rules (one will be the sym link of the other) you can remove the sym link and the policy should load fine. I'm not 100% sure of the security implications. I will ask upstream next I have a chance.
2011-06-05 23:14 spender * gradm_adm.c, gradm_fulllearn.c, gradm_parse.c: add shutdown role to full system learning, ignore symlink dupes if the object modes match
2011-09-24 09:56 spender * gradm_parse.c: don't display warnings on object duplicates when the modes are the same, fixes annoying warnings on some systems with /lib64 symlinked to /lib resolved fixed ?
(In reply to comment #13) > 2011-09-24 09:56 spender > > * gradm_parse.c: don't display warnings on object duplicates when > the modes are the same, fixes annoying warnings on some systems > with /lib64 symlinked to /lib > > resolved fixed ? Did you test this yourself, ie not just read it in the change log? If so, yes resolved fixed.
I know this used to be a problem but I haven't hit it recenlty. I'm closing this fix, but if you hit it with a recent version of gradm, please reopen.