RBAC policy development • Qemu RBAC policies (& libvirt & tcpdump...)

Initially I planned this first post (and I didn't know how many posts I would need to prepare), for topic:
RBAC policy for tcpdump
viewtopic.php?f=5&t=4301
because I figured out important little "tweak" (or what to call it) for the learning on role tcpdump, without which, as it appears to me, there are issues left, tcpdump doesn't work correctly under RBAC.

Then I thought it has too little to do with tcpdump, even though it contains the important "tweak", but rather should belong into the topic:

Libvirt virtualization policies
viewtopic.php?f=5&t=4675

But I actually leave the libvirt programs subject policies still under learning in the final today's policies...

The most it deals with is the Qemu. So I'll open a topic on:

title: Qemu RBAC policies (& libvirt & tcpdump...)

Code:: # ls -l grsec_170[3][1-9][0-2,4-9]_g0n_[0-9][0-9] grsec_170[4][0-9][0-9]_g0n_[0-9][0-9] -rw------- 1 root root 171317 2017-03-08 18:46 grsec_170310_g0n_00 -rw------- 1 root root 171305 2017-03-19 22:10 grsec_170319_g0n_00 -rw------- 1 root root 171334 2017-03-22 11:56 grsec_170322_g0n_00 -rw------- 1 root root 171367 2017-03-25 12:52 grsec_170325_g0n_00 -rw------- 1 root root 171356 2017-04-01 22:43 grsec_170401_g0n_00 -rw------- 1 root root 171596 2017-04-03 14:24 grsec_170403_g0n_02 -rw------- 1 root root 171599 2017-04-04 19:21 grsec_170404_g0n_00

And so I gave that same argument to my diffing_script.sh, which you can find at:

Libvirt virtualization policies
viewtopic.php?f=5&t=4675&start=15#p17006

(
but first I changed the string, in the whole script:
from /Cmn/m/B/Virt_170405/ to /some/other/dir/
)

...

First, I had figured out the missing tweak in my tcpdump topic (link given above). The tcpdump role learning was missing!

And you can see it, if you peruse the actual changes btwn the versions above of my /etc/grsec/policy which I have prepared for posting.

So, I ran:

Code:: # diffing_script.sh

and when asked, pasted in that string above:

Code:: grsec_170[3][1-9][0-2,4-9]_g0n_[0-9][0-9] grsec_170[4][0-9][0-9]_g0n_[0-9][0-9]

, and below is what I got.

However, these posts also are related to my Libvirt topic (link given above), and they build on the explanations given there, to a large extent. E.g. the version grsec_170310_g0n_00 is one of the last versions of my /etc/grsec/policy that I explained in that topic how I attained it.

diff -u30 ./grsec_170310_g0n_00 ./grsec_170319_g0n_00

Code:: --- ./grsec_170310_g0n_00 2017-03-08 18:46:35.138312762 +0100 +++ ./grsec_170319_g0n_00 2017-03-19 22:10:00.430783212 +0100 @@ -4519,109 +4519,109 @@ /proc/slabinfo r /proc/sys h /root rwcd /sbin r /usr /usr/arm-unknown-linux-gnueabi r /usr/bin r /usr/etc r /usr/lib64 rx /usr/libexec r /usr/local r /usr/sbin rx /usr/share r /usr/src h /usr/x86_64-pc-linux-gnu r /usr/arm-unknown-linux-gnueabi r /var /var/lib rwcd /var/spool h /var/spool/cron r /var/www r -CAP_ALL +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH +CAP_SETGID +CAP_SETUID bind disabled connect disabled # Role: root -subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ar o +subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.27/ar o / h /etc h /etc/ld.so.cache r /lib64 rx /lib64/modules h /usr h /usr/lib64 h /usr/lib64/binutils/x86_64-pc-linux-gnu/2.25.1/libbfd-2.25.1.so rx /usr/lib64/gconv/gconv-modules.cache r /usr/lib64/locale/locale-archive r /usr/src h /usr/x86_64-pc-linux-gnu h - /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ar x + /usr/x86_64-pc-linux-gnu/binutils-bin/2.27/ar x -CAP_ALL bind disabled connect disabled # Role: root -subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as o +subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.27/as o / h /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null rw /dev/port h /etc h /etc/ld.so.cache r /lib64 rx /lib64/modules h /tmp rw /usr h /usr/lib64 h /usr/lib64/binutils/x86_64-pc-linux-gnu/2.25.1/libbfd-2.25.1.so rx /usr/lib64/binutils/x86_64-pc-linux-gnu/2.25.1/libopcodes-2.25.1.so rx /usr/lib64/locale/locale-archive r /usr/share h /usr/share/locale r /usr/src rwcd /usr/x86_64-pc-linux-gnu h /usr/x86_64-pc-linux-gnu/binutils-bin x -CAP_ALL bind disabled connect disabled # Role: root -subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld o +subject /usr/x86_64-pc-linux-gnu/binutils-bin/2.27/ld o / h /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null rw /dev/port h /etc h /etc/ld.so.cache r /etc/ld.so.conf r /etc/ld.so.conf.d /etc/ld.so.conf.d/05binutils.conf r /etc/ld.so.conf.d/05gcc-x86_64-pc-linux-gnu.conf r /lib64 rx /lib64/modules h /proc h /proc/meminfo r /tmp r /usr h /usr/lib64 rx /usr/share h /usr/share/locale r /usr/src rwcd /usr/x86_64-pc-linux-gnu h /usr/x86_64-pc-linux-gnu/binutils-bin x -CAP_ALL bind disabled connect disabled @@ -5052,61 +5052,61 @@ /sbin/openrc /sbin/xtables-multi /sys h /tmp rwcd /usr /usr/bin x /usr/bin/java rx /usr/bin/mplayer rx /usr/bin/mpv rx /usr/bin/qemu-system-x86_64 rx /usr/bin/ssh rx /usr/bin/xkbcomp rx /usr/bin/urxvt rx /usr/bin/tzap rx /usr/lib64 rx /usr/libexec rx /usr/local /usr/local/bin rwxc /usr/sbin h /usr/sbin/sendmail rx /usr/sbin/tcpdump x /usr/share h /usr/share/virt-manager x /usr/share/cvs/contrib/rcs2log /usr/share/doc r /usr/share/info r /usr/share/locale r /usr/share/terminfo r /usr/src rwxc # needed by youtube-dl - /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/objdump x + /usr/x86_64-pc-linux-gnu/binutils-bin/2.27/objdump x /var /var/lib /var/lib/lurker rwcdl /var/log h /var/tmp rwcd /var/www /var/www/lurker* rwcd /var/www/localhost /var/www/localhost/htdocs rwcd -CAP_ALL bind disabled connect disabled sock_allow_family all # Role: miro subject /bin/cat o / h /Cmn r /Cmn/MyVideos rwcdl /Cmn/ls-ABRgo* rwcdl /Cmn/dLo* rwcdl /bin h /bin/cat rx /dev h /dev/dvb r /dev/dvb/adapter? r /dev/dvb/adapter?/dvr? r /etc h /etc/ld.so.cache r /etc/qemu/bridge.conf r @@ -6474,62 +6474,62 @@ /proc/sys h /sys h /tmp r /usr h /usr/bin h $gpg_programs /usr/lib64 rx /usr/share r /var/log h /var/www/localhost/htdocs rwc -CAP_ALL +CAP_FOWNER +CAP_MKNOD bind disabled connect disabled sock_allow_family unix inet # Role: miro subject /usr/bin/gpgconf o / h /dev/null rw /etc h /etc/ld.so.cache r /lib64 h /lib64/ld-2.23.so x /lib64/libc-2.23.so rx /usr h /usr/bin $gpg_programs /usr/share/locale r - /usr/lib64/libgcrypt.so.20.1.5 rx - /usr/lib64/libgpg-error.so.0.21.0 rx + /usr/lib64/libgcrypt.so.20.1.6 rx + /usr/lib64/libgpg-error.so.0.22.0 rx /usr/lib64/locale/locale-archive r -CAP_ALL bind disabled connect disabled ## Role: miro #subject /usr/bin/gpgparsemail ol # / h # -CAP_ALL # bind disabled # connect disabled ## Role: miro #subject /usr/bin/gpgscm ol # / h # -CAP_ALL # bind disabled # connect disabled ## Role: miro #subject /usr/bin/gpgsm ol # / h # -CAP_ALL # bind disabled # connect disabled ## Role: miro #subject /usr/bin/gpgtar ol # / h # -CAP_ALL @@ -8212,61 +8212,61 @@ sock_allow_family unix inet # Role: miro subject /usr/libexec/gcc/x86_64-pc-linux-gnu o / h /Cmn /Cmn/mr* rwc /Cmn/Kaff rwc /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null rw /dev/port h /dev/urandom r /etc h /etc/ld.so.cache r /home /home/miro rwcd /lib64 rx /lib64/modules h /proc h /proc/meminfo r /tmp rwcdl /usr /usr/include r /usr/lib64 rx /usr/libexec h /usr/libexec/gcc x - /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld x + /usr/x86_64-pc-linux-gnu/binutils-bin/2.27/ld x /usr/share h /usr/share/locale r /usr/src rwxc -CAP_ALL +CAP_IPC_LOCK +CAP_SYS_RAWIO bind disabled connect disabled # Role: miro subject /usr/libexec/git-core o / h /Cmn r /Cmn/src* rwcdl /bin x /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null rw /dev/port h /dev/tty rw /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/shadow h

diff -u30 ./grsec_170319_g0n_00 ./grsec_170322_g0n_00

Code:: --- ./grsec_170319_g0n_00 2017-03-19 22:10:00.430783212 +0100 +++ ./grsec_170322_g0n_00 2017-03-22 11:56:18.000000000 +0100 @@ -8588,94 +8588,95 @@ /lib64/modules h /proc /proc/bus h /proc/kallsyms h /proc/kcore h /proc/meminfo r /proc/modules h /proc/slabinfo h /proc/sys h /tmp rwcd /usr /usr/bin /usr/bin/maildrop x /usr/bin/python* x /usr/lib64 rx /usr/src h -CAP_ALL bind 0.0.0.0/32:0 dgram ip connect 127.0.0.1/32 dgram udp connect 195.29.150.9/32:995 dgram udp connect 195.29.150.8/32:995 stream dgram tcp udp connect 178.218.165.68/32:993 stream tcp connect 192.168.1.1/32:53 dgram udp sock_allow_family netlink # Role: miro subject /usr/lib64/palemoon/palemoon o / r /Cmn rw /mnt/CD r - /Cmn/dLo rwc + /Cmn/dLo rwcd /boot h /bin/wc x /dev /dev/dri h /dev/dri/card0 rw /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null rw /dev/port h /dev/snd rw /dev/urandom r /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /home /home/miro rw /home/miro/.cache rwcd /home/miro/.config /home/miro/.config/gtk-2.0 rwcd /home/miro/.local /home/miro/.local/share rwcd "/home/miro/.moonchild productions" rwcd # "/home/miro/.moonchild productions/pale moon" r # "/home/miro/.moonchild productions/pale moon/sre1mcun.default" rwcd /home/miro/.mozilla /home/miro/.sslkey.log w /home/miro/Desktop rwcd + /home/miro/Downloads rwcd /lib/modules h /lib64 rx /lib64/modules h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/self r /proc/slabinfo h /proc/sys h /run /sys h /sys/devices/system/cpu/online r /sys/devices/system/cpu/present r /tmp rwcd /usr /usr/bin/mutt rx /usr/bin/qpdfview x /usr/bin/vlc x /usr/lib64 rx /usr/local /usr/share r /usr/src h /var h /var/cache h /var/cache/fontconfig r /var/tmp rwcd -CAP_ALL bind 0.0.0.0/32:0 dgram ip

diff -u30 ./grsec_170322_g0n_00 ./grsec_170325_g0n_00

Code:: --- ./grsec_170322_g0n_00 2017-03-22 11:56:18.000000000 +0100 +++ ./grsec_170325_g0n_00 2017-03-25 12:52:06.000000000 +0100 @@ -6982,61 +6982,61 @@ /proc/slabinfo h /proc/sys h /sys h /sys/devices/system/cpu /usr h /usr/bin h /usr/bin/mplayer rx /usr/lib64 rx /usr/share r /var h /var/cache h /var/cache/fontconfig r /var/www h /var/www/localhost h /var/www/localhost/htdocs r /var/www/localhost/htdocs/CroatiaFidelis r /var/www/localhost/htdocs/CroatiaFidelis/foss r /var/www/localhost/htdocs/CroatiaFidelis/foss/cap rwc -CAP_ALL bind 0.0.0.0/32:0 dgram ip connect 192.168.2.0/24:80 stream tcp connect 127.0.0.1/32:53 dgram udp sock_allow_family ipv6 # Role: miro subject /usr/bin/mpv o / h /Cmn r /Cmn/Kaff rwc /Cmn/dLo rwc - /Cmn/mr rwc + /Cmn/mr* rwc /dev h /dev/dri h /dev/dri/card0 rw /dev/null r /dev/snd rw /dev/urandom r /dev/zero rw /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/passwd h /etc/ppp h /etc/samba/smbpasswd h /etc/shadow h /etc/shadow- h /etc/ssh h /home /home/miro rwc /lib64 rx /lib64/modules h /mnt h /mnt/sd?1 r /mnt/g* r /mnt/H* r /mnt/sr* r /proc /proc/bus h /proc/cpuinfo r /proc/kallsyms h @@ -8517,60 +8517,61 @@ /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /home /home/miro rwcd /home/miro/.cache rwcdl /lib64 rx /lib64/modules h /proc /proc/bus h /proc/kallsyms h /proc/kcore h /proc/meminfo r /proc/modules h /proc/slabinfo h /proc/sys h /sys h /sys/devices/system/cpu/online r /tmp rwcd /usr /usr/bin /usr/bin/xdg-open x /usr/lib64 rxwc /usr/share r /usr/src h /var h /var/cache/fontconfig rw + /var/www/localhost/htdocs rwcd -CAP_ALL bind disabled connect disabled sock_allow_family unix inet # Role: miro subject /usr/lib64/node_modules/npm/bin/npm-cli.js o / h /bin h /bin/env x /etc h /etc/ld.so.cache r /lib64 h /lib64/ld-2.23.so x /lib64/libc-2.23.so rx /usr h /usr/bin/env x /usr/bin/node x /usr/lib64/locale/locale-archive r /usr/lib64/node_modules/npm/bin/npm-cli.js rx -CAP_ALL bind disabled connect disabled sock_allow_family unix inet # Role: miro subject /usr/lib64/python-exec/python2.7/getmail o / h /dev h /dev/tty rw

diff -u30 ./grsec_170325_g0n_00 ./grsec_170401_g0n_00

Code:: --- ./grsec_170325_g0n_00 2017-03-25 12:52:06.000000000 +0100 +++ ./grsec_170401_g0n_00 2017-04-01 22:43:14.760275379 +0200 @@ -642,61 +642,60 @@ /Cmn/gX* rwxcd /Cmn/m* rwxcd /bin rx /sbin rx /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null rw /dev/port h /dev/tty rw /dev/urandom r /etc rx /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow h /etc/shadow- h /etc/ssh h /export h /export/data /export/home /home h /home/miro rx /lib64 rx /lib64/firmware h /lib64/firmware/radeon /lib64/modules h /mnt r - /mnt r /mnt/g* rwxcd /mnt/H* rwxcd /opt /opt/icedtea-bin-*/bin/java x /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /root rxcdl /run rd /run/dhcpcd r /sys /sys/fs/cgroup /tmp rwcd /usr /usr/bin rx /usr/include r /usr/lib64 rx /usr/libexec rx /usr/local r /usr/local/bin rx /usr/sbin rx /usr/share r /usr/src rx /usr/x86_64-pc-linux-gnu /usr/x86_64-pc-linux-gnu/binutils-bin x /usr/x86_64-pc-linux-gnu/gcc-bin x

diff -u30 ./grsec_170401_g0n_00 ./grsec_170403_g0n_02

Code:: --- ./grsec_170401_g0n_00 2017-04-01 22:43:14.760275379 +0200 +++ ./grsec_170403_g0n_02 2017-04-03 14:24:12.713483680 +0200 @@ -2942,61 +2942,62 @@ / h /bin x /dev r /dev/null w /dev/tty rw /etc h /etc/X11 /etc/X11/xinit rx /etc/ld.so.cache r /lib64 rx /lib64/modules h /proc h /proc/meminfo r /root /tmp rwcd /usr h /usr/bin rx /usr/lib64 h /usr/lib64/gconv/gconv-modules.cache r /usr/lib64/locale/locale-archive r /usr/share /usr/share/locale/locale.alias r -CAP_ALL +CAP_DAC_OVERRIDE bind disabled connect disabled sock_allow_family unix inet # Role: root subject /usr/bin/sudo o -group_transition_allow nobody root +#user_transition_allow root nobody +group_transition_allow root nobody / h /bin h /bin/bash xwcd /bin/touch rwc /bin/mkdir x /dev h /dev/console /dev/log rw /dev/pts /dev/tty rw /etc r /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/shadow- h /etc/passwd r /etc/ssh h /etc/sudoers r /etc/sudoers.d r /lib64 rx /lib64/modules h /proc /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /run rwcd /usr h @@ -4449,63 +4450,64 @@ sock_allow_family unix inet # Role: root subject /usr/sbin/tcpdump o user_transition_allow root tcpdump nobody miro group_transition_allow root tcpdump nobody miro / h /Cmn rwc /etc h /etc/ld.so.cache r /etc/localtime r /etc/nsswitch.conf r /etc/passwd r /etc/services r /lib64 rx /lib64/modules h /proc r /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /sys h /sys/class h /sys/class/net /sys/devices h /sys/devices/pci0000:00 h /sys/devices/pci0000:00/0000:00:15.0/0000:05:00.0/net/eth0/ifindex /sys/devices/pci0000:00/0000:00:15.1/0000:06:00.0/net/eth1/ifindex /sys/devices/virtual h - /sys/devices/virtual/net/dummy0/ifindex - /sys/devices/virtual/net/lo/ifindex - /sys/devices/virtual/net/sit0/ifindex + /sys/devices/virtual/net r +# /sys/devices/virtual/net/dummy0/ifindex +# /sys/devices/virtual/net/lo/ifindex +# /sys/devices/virtual/net/sit0/ifindex /usr h /usr/lib64 rx /usr/sbin h /usr/sbin/tcpdump rx -CAP_ALL +CAP_SETGID +CAP_SETUID +CAP_SETPCAP +CAP_NET_ADMIN +CAP_NET_RAW bind disabled connect disabled sock_allow_family unix inet netlink # Role: root subject /usr/sbin/tripwire o user_transition_allow root group_transition_allow root / /boot r /bin rx /dev /dev/grsec h /dev/kmem h /dev/log rw /dev/port h /etc r /home /home/miro rwcd /lib rx @@ -4828,95 +4830,96 @@ -CAP_ALL +CAP_DAC_READ_SEARCH +CAP_KILL +CAP_SETGID +CAP_SETUID bind 0.0.0.0/32:0 ip dgram stream tcp udp connect 127.0.0.1/32 ip dgram stream tcp udp connect 192.168.1.1/32:53 dgram udp connect 195.29.150.0/24 ip dgram stream tcp udp connect 178.218.165.68/32 ip dgram stream tcp udp sock_allow_family all # Role: postfix subject /usr/sbin/postsuper o user_transition_allow root group_transition_allow root / h /var/spool/postfix wd -CAP_ALL bind disabled connect disabled role qemu ul user_transition_allow root qemu group_transition_allow root kvm libvirt qemu role qemu gl user_transition_allow root qemu group_transition_allow root kvm libvirt qemu -role tcpdump u -subject / o - / h - -CAP_ALL - bind disabled - connect disabled - -# Role: tcpdump -subject /usr/sbin/tcpdump o -user_transition_allow miro root nobody tcpdump -group_transition_allow miro root nobody tcpdump - / h - /Cmn rwc - /etc h - /etc/host.conf r - /etc/hosts r - /etc/ld.so.cache r - /etc/resolv.conf r - /lib64 h - /lib64/libnss_dns-2.23.so rx - /lib64/libresolv-2.23.so rx - /lib64/libresolv.so.2 rx - /proc r - /proc/bus h - /proc/kallsyms h - /proc/kcore h - /proc/modules h - /proc/slabinfo h - /proc/sys h - /usr h - /usr/sbin/tcpdump rx - -CAP_ALL - +CAP_DAC_OVERRIDE - bind 0.0.0.0/32:0 dgram ip - connect 127.0.0.1/32:53 dgram udp +role tcpdump ul +user_transition_allow root nobody tcpdump miro +group_transition_allow root nobody tcpdump miro + +role tcpdump gl +user_transition_allow root nobody tcpdump miro +group_transition_allow root nobody tcpdump miro + +## Role: tcpdump +#subject /usr/sbin/tcpdump o +#user_transition_allow root nobody tcpdump miro +#group_transition_allow root nobody tcpdump miro +# / h +# /Cmn rwc +# /etc h +# /etc/host.conf r +# /etc/hosts r +# /etc/ld.so.cache r +# /etc/resolv.conf r +# /lib64 h +# /lib64/libnss_dns-2.23.so rx +# /lib64/libresolv-2.23.so rx +# /lib64/libresolv.so.2 rx +# /proc r +# /proc/bus h +# /proc/kallsyms h +# /proc/kcore h +# /proc/modules h +# /proc/slabinfo h +# /proc/sys h +# /usr h +# /usr/sbin/tcpdump rx +# -CAP_ALL +# +CAP_DAC_OVERRIDE +# bind 0.0.0.0/32:0 dgram ip +# connect 127.0.0.1/32:53 dgram udp role miro u user_transition_allow qemu group_transition_allow kvm libvirt qemu role_allow_ip 0.0.0.0/32 # Role: miro subject / / h /Cmn r /Cmn/Kaff rwxcd /Cmn/MyVideos rwxcd /Cmn/dLo rwxcd /Cmn/gX* rwxcd /Cmn/m* rwxcd /Cmn/src* rwxcd /bin rx /boot h /dev /dev/grsec h /dev/kmem h /dev/kvm r /dev/log h /dev/mapper h /dev/mapper/Msy /dev/mem h /dev/net r /dev/net/tun rwx /dev/null rw /dev/port h /dev/ptmx rw

diff -u30 ./grsec_170403_g0n_02 ./grsec_170404_g0n_00

Code:: --- ./grsec_170403_g0n_02 2017-04-03 14:24:12.713483680 +0200 +++ ./grsec_170404_g0n_00 2017-04-04 19:21:56.000000000 +0200 @@ -541,61 +541,61 @@ bind disabled connect disabled role portage u role_allow_ip 0.0.0.0/32 # Role: portage subject / / h /bin/bash x /usr/bin/wget x -CAP_ALL bind disabled connect disabled # Role: portage subject /bin/bash o / /Cmn /Cmn/Kaff rwxcd /bin x # /bin/bash x # /bin/rm x /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null w /dev/port h /dev/tty rw - /etc h + /etc r /etc/ld.so.cache r /lib64 rx /lib64/modules h /proc h /proc/meminfo r /root /usr h /usr/lib64/gconv/gconv-modules.cache r /usr/lib64/locale/locale-archive r /usr/portage wc /usr/share/info r -CAP_ALL bind disabled connect disabled # Role: portage subject /bin/rm o / h /bin h /bin/rm x /etc h /etc/ld.so.cache r /lib64 h /lib64/ld-2.*.so x /lib64/libc-2.*.so rx /usr h /usr/lib64/locale/locale-archive r /usr/portage wd -CAP_ALL bind disabled @@ -706,64 +706,64 @@ /var/spool /var/spool/postfix r -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_DAC_READ_SEARCH +CAP_FOWNER +CAP_KILL bind disabled connect disabled # Role: root subject /bin/bash o / /Cmn wc /Cmn/gX* rwxcdl /Cmn/Kaff rwxcd /bin x /boot h /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null rw /dev/port h /dev/tty rw /etc r /etc/X11 r /etc/X11/chooser.sh x - /etc/bash h - /etc/bash/bash_logout r - /etc/bash/bashrc r - /etc/bash/bashrc.d + /etc/bash r +# /etc/bash/bash_logout r +# /etc/bash/bashrc r +# /etc/bash/bashrc.d /etc/cron.hourly /etc/grsec h /etc/gshadow h /etc/gshadow- h /etc/init.d rwx /etc/java-config-2 h /etc/java-config-2/current-system-vm rx /etc/mactab w /etc/postfix wc /etc/profile.d /etc/profile.d/java-config-2.sh r /etc/shadow h /etc/shadow- h /etc/ssh h /etc/terminfo /etc/terminfo/l/linux r /etc/terminfo/r/rxvt-unicode r /export rwxcd /home /home/miro rw /lib64 rx /lib64/modules h /mnt /opt /opt/cin x /opt/icedtea-bin-* rx /proc r /proc/bus h /proc/kallsyms h /proc/kcore h

In the next post, after I have done a number of tcpdump network traces, I will give what grsecurity learned from those, along with the diff with the new tcpdump-learned policy.

I'll post it regardless that this issue was now solved, or that this issue still remained open.

Statistics: Posted by timbgo — Wed Apr 05, 2017 11:46 am — Replies 6 — Views 27171

RBAC policy development • Qemu RBAC policies (& libvirt & tcpdump...)

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112