Hi, Recently installed (~x86) RSBAC-1.2.5 - kernel & admin tools (clean install not upgrade from 1.2.4). All rsbac_{fd,etc}_menu dialog tools doesn't work, report permission problems. Some messages: 1.After opening rsbac_menu and pointing to a binary somewhere (as secoff): ...BEGIN... "RSBAC File/Dir/Fifo/Symlink/Administration - ERROR Main Menu: Selection Error!" ...END... Think these might be permission problems/bugs: Some more info: ls -l /rsbac.dat/ (from other partition) shows all files are: ... -rw------ root root filename ... so all files belong to "root" but why, IMO they should belong to: secoff secoff. This dir (rsbac.dat) isn't visible from both root or secoff and kernel config has disabled visibility for it (OK here).'ls -l /' "rsbac.dat" has "d---------". root can see all in secoff's directory (/secoff) incliding logs etc tough they all have "-rw------ so so filename.ext" (only security-log has "so root", but this is OK as it's managed by rklogd & it's config). Some differences in PATH env vars, but these are normal: root has "/sbin:/usr/sbin", while secoff doen't has have these in his path but has "dac" permissions for them (0755). Might has forgotten something, will add it later as any new experiments & info. PS: writing this from my normal account and currently don't have (forgot it) a "emerge info" output - will give it later, no time now. Thanks.Rumen Reproducible: Always Steps to Reproduce: 1. 2. 3.
hi rumen, its normal that you cannot read rsbac.dat. it would be a real problem if you could :) what happens if you type "which attr_get_fd" and simply "attr_get_fd" as secoff ? there is no rklogd installed ni 1.2.5 ebuild (you're better off with syslog-ng), so i assume you might have installed from source and have utils in /usr/local/bin PATH ? btw rklogd suid to secoff so you dont need root access for the log file. simlpy run in secure mode (ie not softmode) and remove the dac override rights (default) from root, then it wont be able to access thoses /secoff dirs anymore.
Hi kang, Problem solved, tough it turned out to be quite unusual one. First, for completeness my emerge --info: ...BEGIN... Gentoo Base System version 1.6.13 Portage 2.0.51.22-r3 (hardened/x86/2.6, gcc-3.3.6, glibc-2.3.5-r2, 2.6.13-rsbac-rsbac i686) ================================================================= System uname: 2.6.13-rsbac-rsbac i686 AMD Athlon(tm) XP 2200+ dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i386-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer" CHOST="i386-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/init.d /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildpkg ccache collision-protect distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.ITDNet.net/gentoo http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://files.gentoo.gr http://mirror.etf.bg.ac.yu/gentoo http://mirror.datapipe.net/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow X509 acl acpi apache2 bash-completion berkdb caps cdb cdr crypt curl dlloader eds esd evo exif freetype gnutls gstreamer gtkhtml hal hardened iconv imap ithreads javascript maildir mime mmx ncurses nls nptl nvidia ogg pam perl pic posix ppds prelude python readline skey sse ssl svg symlink tcpd threads udev unicode usb userlocales vorbis win32codecs x86 xsl xvid zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS ...END... To your questions: "which attr_get_fd" returns "/usr/bin/attr_get_fd" and running it as secoff starts it. So the only problem with PATH is that as 'secoff' i can't find the paths to all binaries (specially ones in "/sbin:/usr/sbin" but that's normal system setup, must do this as root first. Not really a problem at all. Maybe i wasn't very clear in explaining what my main problem was, so again: I can start rsbac_menu, it shows (CL dialog) but doesn't work afterwards - pressing any menu line will pop up an error message (which i assumed was due to some permissions problems) - wrong. So to sum up: PATH is working, rsbac_menu is visually working too. It turned up the Bug (for me) is with "unicode" USE-flag (which i HAD - see emerge --info above). Removed "unicode" and recompiled the three apps which used it: baselayout, ncurses and dialog. Then remembered that after my initial setup i had ncurses without 'unicode' and wanting dialog with 'unicode' failed to compile, so had to add "unicode" to ncurses OR remove "unicode" from dialog - choose the first one. More serious is the message i got when compiling 'ncurses' wo 'unicode' - it didn't want to compile (had to "export COMPILE_NCURSES=true" before) to compile it at all. Received a message that i must do (the export) to compile 'ncurses'. Maybe "unicode" USE-flag must be masked in hardened profile (pitty there is not a separate one for RSBAC) if possible at all. PS: has only rklogd compiled and installed in /usr/local/bin, all other rsbac-admin apps are in /usr/bin/... Still not using syslog-ng due to some permission problems with opening/reading "proc/rsbac-info/rmsg" file. Wanted to fix rsbac_menu first to use it later. Thanks again.Rumen
you can use the hardened profile its no problem. its a common profile and it fits rsbac perfectly. you can alternatively use USE="hardened pie" For unicode, indeed having ncurses unicode and dialog non unicode might fail, obviously :) I just compiled them both and it worked, on amd64, so you might want to emerge sync and retry. Thanks for the feedback though. Good luck with syslog-ng, the easiest is to run it as role auditor (predefined role, uid 404) This user will be auto added in the next ebuild of rsbac-admin. Feel free to ask for help on e.g. #rsbac or #gentoo-hardened about this. (or by mail, mailing, etc..)
Hi kang, Installed 1.2.5 using stage3-hardened-2005.1 with all the profiles etc.No problems Some more on 'unicode', initially compiled dialog w/o 'unicode to match ncurses w/o 'unicode' as it comes in stage3 tarball. Later added "unicode" and other things, removed more to/from USE-flags and did: emerge -DNu world -av to update the whole system. After this had "unicode" for all four apps: baselayout,ncurses,dialog,nano. Here the error appeared, don't remember if before that had such problems, wanted to have updated/clean system first. All this using "softmode" IIRC. Later turned OFF softmode and begin fixing things, rsbac_menu didn't work. Thanks for the syslog-ng tip, plan to use it. Now adding some more models (to have AUTH,FF,RC) and adding some daemons,apps. Closing this Bug as it's fixed. Rumen
