Some time ago (is it a year already
) I posted this thread, where basic support for musl was put in place: viewtopic.php?f=3&t=4152While I did test that "gradm -S" worked, as well as "gradm -D", I did not try to actually load a policy. Now that I finally made some time to play around with policies again, I cannot get the musl system to load a policy. Right now I just want to load the default policy that ships with Gentoo Hardened. I get the following error:
- Code: Select all
root@lostmemory ~ # gradm -C
root@lostmemory ~ # gradm -V -E
Policy statistics:
-------------------------------------------------------
Role summary:
0 user roles
0 group roles
2 special roles with authentication
0 special roles without authentication
2 admin roles
3 total roles
Subject summary:
0 nested subjects
29 subjects can be killed by outside processes
31 subjects have unprotected shared memory
22 subjects with unrestricted sockets
31 total subjects
Object summary:
0 objects in non-admin roles allow chmod +s
273 total objects
Error copying structures to the kernel.
The following appears in dmesg:
- Code: Select all
[1227858.043715] grsec: From 192.168.178.57: unable to load grsecurity 3.1 for /sbin/gradm[gradm:16845] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:15578] uid/euid:0/0 gid/egid:0/0
Same for enabling learning mode, it seems:
- Code: Select all
# gradm -F -L /etc/grsec/learning.log
Error opening /dev/grsec:
Resource busy
^C
root@lostmemory ~ #
I am using the following version:
- Code: Select all
root@lostmemory ~ # eix -Ic gradm
[I] sys-apps/gradm (3.1.201603152148@05/23/16): Administrative interface for the grsecurity Role Based Access Control system
Kernel:
- Code: Select all
root@lostmemory ~ # uname -a
Linux lostmemory 4.5.3-hardenedlostmemory #1 SMP Mon May 9 03:46:18 CEST 2016 armv7l Allwinner sun4i/sun5i Families GNU/Linux
I hope that my reluctance to test actually loading in a policy in the last thread won't lead to another ABI bump. Please let me know how I can help to further debug/test. Or flame me if this looks like PEBCAK.
