GnuPG programs RBAC policies

Submit your RBAC policies or suggest policy improvements

GnuPG programs RBAC policies

Postby timbgo » Mon Feb 06, 2017 12:09 pm

I actually started this three-posts topic, by now already prepared, for this thread on GnuPG mailing list (the title is not of my making):

? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?
https://lists.gnupg.org/pipermail/gnupg ... 57582.html

but very quickly I turned these into topic for Grsecurity Forums.

The first post shows just the simple method that I used to issue a few "gpg --recv-key" commands.
The second decribes, to some extent (this topic is primarily about RBAC policy), the issue that I had with some keys.
The third post contains the actual policies.

title: GnuPG programs RBAC policies
---

I don't yet have a smartcard or such, and so I use a USB stick, not to keep my ~/.gnupg/ directory with my secret key available when I'm online.

I use grsecurity-hardened kernel (the only way to save Linux from Linus, IMO), and I had issues with the Gradm (grsecurity administration), which, while it is a breeze to configure it, everybody says, in respect to how hard the configuration of the NSA Linux, sorry SELinux, is, it's still hard for not-so-advanced.

And upon the first configuration (called learning, actually done after automatic actual learning of the grsecurity itself on the actual machine), I was still getting "... denied ..." errors, like:

Code: Select all
Feb  4 23:06:01 g0n kernel: [22705.364175] grsec: (miro:U:/usr/bin/gpg2) denied open of /the-usb-mount/.gnupg/trustdb.gpg for reading writing by /usr/bin/gpg2[gpg:6643] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5271] uid/euid:1000/1000 gid/egid:1000/1000
Feb  4 23:06:01 g0n kernel: [22705.523478] grsec: (miro:U:/usr/bin/gpg2) denied connect() to the unix domain socket /the-usb-mount/.gnupg/S.gpg-agent by /usr/bin/gpg2[gpg:6643] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5271] uid/euid:1000/1000 gid/egid:1000/1000
Feb  4 23:06:01 g0n kernel: [22705.523677] grsec: (miro:U:/usr/bin/gpg2) denied create of /the-usb-mount/.gnupg/.#lk0x00000004da6be8c0.g0n.6643 for writing by /usr/bin/gpg2[gpg:6643] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5271] uid/euid:1000/1000 gid/egid:1000/1000
Feb  4 23:06:01 g0n kernel: [22705.525387] grsec: (miro:U:/usr/bin/gpg2) denied connect() to the unix domain socket /the-usb-mount/.gnupg/S.gpg-agent by /usr/bin/gpg2[gpg:6643] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5271] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 03:14:02 g0n kernel: [37586.610995] grsec: (root:U:/etc/cron.daily) denied access to hidden file / by /usr/bin/gpg2[gpg:24341] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/rkhunter[rkhunter:24340] uid/euid:0/0 gid/egid:0/0


So more Gradm learning was due.

I made a list of some people' public keys, from Mutt users mailing list, Gentoo users ML, GnuPG mailing list, and set off to perfom more of the usual tasks so the system would know how to set up the policies.

It all took longer, but here are the final steps, because I'm curious about why two particular keys wouldn't be received the standard way like all the other keys from the list.

This list below is one line longer than the final list that the output, and the log below pertain to (no 3F533109A9509B14 line):

$ cat recv-keys.ls-1
Code: Select all
3F533109A9509B14
8975A9B33AA37910385C5308ADEF768480316BDA
F16C6DC6A4078AFB
A5957FD8834573E2
943D25692DA0DAA497DF23BE47F55ECED035B287
92FEFDB7E44C32F9
4183F13493DF6F75
084509941B9789CE
ADEF768480316BDA
1C49C048DFBEAD02
9D106472D6D50DBA
AB35BA45F9995BB7
78930DB93043C26D
B3F351E09B93286F


So with this command (just a simple bash loop), I got the following output (I only replaced the actual domains with "some.domain" string for protection), --just without the first line--:

$ for i in $(cat recv-keys.ls-1); do gpg --recv-key $i ; done ;
Code: Select all
gpg: key ADEF768480316BDA: public key "Kevin J. McCarthy [email protected]" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key F16C6DC6A4078AFB: public key "Patrice Levesque [email protected]" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key A5957FD8834573E2: public key "Michelle Konzack (Primary EMail) [email protected]" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key 47F55ECED035B287: public key "Anton (ubernauten) [email protected]" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key 92FEFDB7E44C32F9: public key "Simon Ruderich [email protected]" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key 04562BC18DEFE336: public key "Thibaut Marty [email protected]" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key 084509941B9789CE: public key "[email protected] [email protected]" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key ADEF768480316BDA: "Kevin J. McCarthy [email protected]" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg: key 1C49C048DFBEAD02: public key "Derek D. Martin [email protected]" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key 9D106472D6D50DBA: public key "Thomas Glanzmann [email protected]" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key AB35BA45F9995BB7: public key "Richard Zidlicky (key-2014) [email protected]" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key 78930DB93043C26D: public key "Ken Moffat (ntlworld address) [email protected]" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key B3F351E09B93286F: public key "Mark H. Wood (Journeyman Wizard) [email protected]" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
$


That is the clean receiving upon successful reconfiguration of my /etc/grsec/policy, and issuing of the usual "gradm -E".

What I got in the logs for that event (thanks to exec_logging, and audit_chdir, being enabled) is:

Code: Select all
Feb  5 22:46:27 g0n kernel: [53769.242600] grsec: (miro:U:/bin/cat) exec of /bin/cat (cat recv-keys.ls-1 ) by /bin/cat[bash:32045] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 22:46:27 g0n kernel: [53769.245711] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key 8975A9B33AA37910385C5308ADEF768480316BDA ) by /usr/bin/gpg2[bash:32046] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 22:46:27 g0n kernel: [53769.249680] grsec: (miro:U:/usr/bin/gpg2) chdir to / by /usr/bin/gpg2[gpg:32047] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg2[gpg:32046] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 22:46:27 g0n kernel: [53769.250708] grsec: (miro:U:/usr/bin/dirmngr) exec of /usr/bin/dirmngr (dirmngr --daemon --homedir /home/miro/.gnupg ) by /usr/bin/dirmngr[gpg:32048] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb  5 22:46:27 g0n kernel: [53769.256276] grsec: (miro:U:/usr/bin/dirmngr) chdir to / by /usr/bin/dirmngr[dirmngr:32049] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/dirmngr[dirmngr:32048] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 22:46:28 g0n kernel: [53770.251897] grsec: more alerts, logging disabled for 10 seconds
Feb  5 22:46:43 g0n kernel: [53785.309854] grsec: (miro:U:/usr/bin/gpg2) chdir to / by /usr/bin/gpg2[gpg:32051] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg2[gpg:32046] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 22:46:43 g0n kernel: [53785.310417] grsec: (miro:U:/usr/bin/gpg-agent) exec of /usr/bin/gpg-agent (gpg-agent --homedir /home/miro/.gnupg --use-standard-socket --daemon ) by /usr/bin/gpg-agent[gpg:32052] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb  5 22:46:43 g0n kernel: [53785.312676] grsec: (miro:U:/usr/bin/gpg-agent) chdir to / by /usr/bin/gpg-agent[gpg-agent:32055] uid/euid:1000/1000 gid/egid:1000/1000, parent /[gpg-agent:32052] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 22:46:44 g0n kernel: [53786.314737] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key F16C6DC6A4078AFB ) by /usr/bin/gpg2[bash:32057] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 22:46:44 g0n kernel: [53786.318225] grsec: (miro:U:/usr/bin/dirmngr) denied connect() to 127.0.0.1 port 9050 sock type stream protocol tcp by /usr/bin/dirmngr[conn fd=5:32058] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb  5 22:46:45 g0n kernel: [53787.033760] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key A5957FD8834573E2 ) by /usr/bin/gpg2[bash:32060] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 22:46:45 g0n kernel: [53787.041870] grsec: (miro:U:/usr/bin/dirmngr) denied connect() to 127.0.0.1 port 9050 sock type stream protocol tcp by /usr/bin/dirmngr[conn fd=5:32061] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb  5 22:46:46 g0n kernel: [53787.790592] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key 943D25692DA0DAA497DF23BE47F55ECED035B287 ) by /usr/bin/gpg2[bash:32063] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000

...[11 lines cut]...

Feb  5 22:46:51 g0n kernel: [53793.569630] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key B3F351E09B93286F ) by /usr/bin/gpg2[bash:32089] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000


I only cut the lines where the only real difference was in the key being processed, and those lines are essentially the same as the immediately previous and the immediately following lines.

The issue, in the next post.
Last edited by timbgo on Mon Feb 06, 2017 12:45 pm, edited 1 time in total.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: GnuPG programs RBAC policies

Postby timbgo » Mon Feb 06, 2017 12:17 pm

And now the issue. It also happened before, but, alas, reading of the logs is a science in itself, I figure it out matter by matter, usually one or two at a time...

There is this key that I couldn't receive at different times, after it was uploaded to the servers:

Code: Select all
CECC45E1E979013C


There is a story about it at:

https://github.com/Synzvato/decentraleyes/issues/143

And there is this other key that makes the first line of the previous-to-final list (in the first post), that I ommitted in the command line and output and log of the previous post.

Code: Select all
3F533109A9509B14


And after having done all the learning and reconfiguration of /etc/grsec/policy so that almost all keys, that I randomly collected from various mailing lists to which I am subscribed, I managed to receive from the servers just fine...

(
Maybe just to show. This is..

Code: Select all
Feb  5 22:47:30 g0n kernel: [53832.607484] grsec: (miro:U:/bin/bash) exec of /bin/bash (sh -c gpg --no-verbose --batch --output - --verify /tmp/mutt-g0n-1000-32099-228475456275005531.asc /tmp/mutt-g0n-1000-32099-2284) by /bin/bash[mutt:32102] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:32099] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 22:47:30 g0n kernel: [53832.610613] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --no-verbose --batch --output - --verify /tmp/mutt-g0n-1000-32099-228475456275005531.asc /tmp/mutt-g0n-1000-32099-2284754562) by /usr/bin/gpg2[sh:32102] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:32099] uid/euid:1000/1000 gid/egid:1000/1000


...what it looks like when the emails in those lists are PGP-verified in Mutt. The command line is too long, but I'm sure it contains the string of the particular PGP-key that verifies that particular one key --which one is not shown--, and any other PGP-keys for other, emails.
)

...But there were only these two keys left, that at various times just still would not be received.

And here I tried to receive them again, one by one. And:

Code: Select all
$ gpg --recv-key 3F533109A9509B14
gpg: keyserver receive failed: No data
$


I got that in the output, and in the logs I got:

Code: Select all
Feb  5 22:47:54 g0n kernel: [53855.784662] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key 3F533109A9509B14 ) by /usr/bin/gpg2[bash:32107] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 22:47:54 g0n kernel: [53855.792711] grsec: (miro:U:/usr/bin/dirmngr) denied connect() to 127.0.0.1 port 9050 sock type stream protocol tcp by /usr/bin/dirmngr[conn fd=5:32111] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


I tried the other of the two keys:

Code: Select all
Feb  5 22:52:03 g0n kernel: [54104.758579] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key CECC45E1E979013C ) by /usr/bin/gpg2[bash:32149] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 22:52:03 g0n kernel: [54104.763208] grsec: (miro:U:/usr/bin/dirmngr) denied connect() to 127.0.0.1 port 9050 sock type stream protocol tcp by /usr/bin/dirmngr[conn fd=5:32152] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


Then, not having mastered the skills of Gradm completely, I thought maybe my policy has to do something with the failure, and I was right about that being only partly the cause...

So I thought I would try disabling Gradm:

Code: Select all
Feb  5 22:53:07 g0n kernel: [54169.305388] grsec: (admin:S:/) exec of /sbin/gradm (gradm -D ) by /sbin/gradm[bash:32162] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4154] uid/euid:0/0 gid/egid:0/0
Feb  5 22:53:11 g0n kernel: [54173.083051] grsec: shutdown auth success for /sbin/gradm[gradm:32162] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4154] uid/euid:0/0 gid/egid:0/0
Feb  5 22:53:11 g0n kernel: [54173.083559] grsec: exec of /sbin/grlearn (/sbin/grlearn -stop ) by /sbin/grlearn[gradm:32163] uid/euid:0/0 gid/egid:0/0, parent /[gradm:32162] uid/euid:0/0 gid/egid:0/0


And I tried:

Code: Select all
Feb  5 22:53:24 g0n kernel: [54186.693089] grsec: exec of /usr/bin/gpg2 (gpg --recv-key CECC45E1E979013C ) by /usr/bin/gpg2[bash:32164] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000


At this very time above, I finally received that key. It probably said:

Code: Select all
gpg: key CECC45E1E979013C: public key Thomas Rientjes <[email protected]> imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1


For some reason, dhcpd daemon went on some work here, regardless that the connection was, for more than 7 minutes, smooth, lines cut, but they are in my archives:

Code: Select all
Feb  5 22:53:35 g0n kernel: [54197.178951] grsec: exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:32166] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:2917] uid/euid:0/0 gid/egid:0/0
Feb  5 22:53:35 g0n kernel: [54197.192528] grsec: exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf/eth1.ra ) by /bin/rm[dhcpcd-run-hook:32169] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:32166] uid/euid:0/0 gid/egid:0/0

[11 lines cut]


And I tried the other key, with the Gradm still disabled:

Code: Select all
Feb  5 22:54:01 g0n kernel: [54222.834516] grsec: exec of /usr/bin/gpg2 (gpg --recv-key 3F533109A9509B14 ) by /usr/bin/gpg2[bash:32187] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000


But maybe I waited too short (but bear in mind that that the CECC45E1E979013C was fetched promptly... or was I excited and failed to observe correctly, there's not telling any more...):

Code: Select all
Feb  5 22:54:15 g0n kernel: [54237.332225] grsec: exec of /sbin/gradm (gradm -E ) by /sbin/gradm[bash:32193] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4154] uid/euid:0/0 gid/egid:0/0
Feb  5 22:54:15 g0n kernel: [54237.334303] grsec: chdir to /etc/grsec by /sbin/gradm[gradm:32193] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4154] uid/euid:0/0 gid/egid:0/0
Feb  5 22:54:15 g0n kernel: [54237.383855] grsec: (root:U:/sbin/gradm) grsecurity 3.1 RBAC system loaded by /sbin/gradm[gradm:32193] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4154] uid/euid:0/0 gid/egid:0/0


And of course it wouldn't happen any more:

Code: Select all
Feb  5 22:54:22 g0n kernel: [54244.332691] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --recv-key 3F533109A9509B14 ) by /usr/bin/gpg2[bash:32195] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:6950] uid/euid:1000/1000 gid/egid:1000/1000
Feb  5 22:54:22 g0n kernel: [54244.335941] grsec: (miro:U:/usr/bin/dirmngr) denied connect() to 127.0.0.1 port 9050 sock type stream protocol tcp by /usr/bin/dirmngr[conn fd=5:32196] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


Anyway, upon yet another inspection of the /etc/grsec/policy later on, I did find that I possibly (still not in the clear) missed to enable two lines that the Gradm learned.

In the next post.
Last edited by timbgo on Mon Feb 06, 2017 12:46 pm, edited 1 time in total.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: GnuPG programs RBAC policies

Postby timbgo » Mon Feb 06, 2017 12:20 pm

Here are I'll post the relevant policies, including the one, I do see now more clearly, with the mistake of mine, for which I thought it was still equivalent to the immediately previously used, properly learned policy that worked fine, but which would get me " denied " lines in the syslog messages.

But first this is how I do it, because tracking the changes to /etc/grsec/policy is important at discovering issues with the policy.

I keep a backup of the policy (I'm still happy with a monolithic single-file-holds-all policy, but I'm sure split policy has its advantages), such as this is my current policy:

Code: Select all
# diff grsec_170206_g5n_00 /etc/grsec/policy
#

( empty string, so no difference )
(
upon finishing of this tip, it's actually:

Code: Select all
# ls -l grsec_170206_g5n_01
-rw------- 1 root root 167756 2017-02-06 16:06 grsec_170206_g5n_01
#


differing only in two lines:
Code: Select all
# diff -u grsec_170206_g5n_0[01]
--- grsec_170206_g5n_00   2017-02-06 08:27:57.802265671 +0100
+++ grsec_170206_g5n_01   2017-02-06 16:06:21.410348123 +0100
@@ -5894,8 +5894,8 @@
    bind 0.0.0.0/32:0 dgram ip udp
    connect 0.0.0.0/0:11371 stream dgram tcp udp
    connect 0.0.0.0/0:53 stream dgram tcp udp
-   connect 127.0.0.1/32:9050 stream tcp
-   connect 127.0.0.1/32:9150 stream tcp
+   connect 127.0.0.1/32:9050 stream dgram tcp udp
+   connect 127.0.0.1/32:9150 stream dgram tcp udp
 #   connect 94.23.204.11/32:11371 stream tcp
 #   connect 18.4.249.71/32:11371 stream tcp
 #   connect 104.236.209.43/32:11371 stream tcp
#

)

And this one was when I successfully applied the learning:

Code: Select all
# ls -l grsec_170205_g5n_00
-rw------- 1 root root 166920 2017-02-05 17:53 grsec_170205_g5n_00
#


And I can clearly see the error if I simply diff my new changes to it, at a time less than 10 minutes after I created it (from learning of course):

# ls -l grsec_170205_g5n_0[01]
Code: Select all
-rw------- 1 root root 166920 2017-02-05 17:53 grsec_170205_g5n_00
-rw------- 1 root root 167029 2017-02-05 18:04 grsec_170205_g5n_01
#


These are the changes:

Code: Select all
# diff grsec_170205_g5n_0[01]
5889,5904c5889,5906
<    connect 51.15.53.138/32:11371 stream tcp
<    connect 185.95.216.79/32:11371 stream tcp
<    connect 209.15.13.134/32:11371 stream tcp
<    connect 217.69.77.222/32:11371 stream tcp
<    connect 18.9.60.141/32:11371 stream tcp
<    connect 176.9.51.79/32:11371 stream tcp
<    connect 134.93.178.170/32:11371 stream tcp
<    connect 202.141.176.99/32:11371 stream tcp
<    connect 37.191.238.78/32:11371 stream tcp
<    connect 37.120.166.149/32:11371 stream tcp
<    connect 37.250.89.239/32:11371 stream tcp
<    connect 5.9.49.12/32:53 dgram udp
<    connect 31.14.133.188/32:53 dgram udp
<    connect 81.2.237.32/32:53 dgram udp
<    connect 127.0.0.1/32:9050 stream tcp
<    connect 127.0.0.1/32:9150 stream tcp
---
>    connect 0.0.0.0/0:11371 stream tcp
>    connect 0.0.0.0/0:53 dgram udp
> #   connect 51.15.53.138/32:11371 stream tcp
> #   connect 185.95.216.79/32:11371 stream tcp
> #   connect 209.15.13.134/32:11371 stream tcp
> #   connect 217.69.77.222/32:11371 stream tcp
> #   connect 18.9.60.141/32:11371 stream tcp
> #   connect 176.9.51.79/32:11371 stream tcp
> #   connect 134.93.178.170/32:11371 stream tcp
> #   connect 202.141.176.99/32:11371 stream tcp
> #   connect 37.191.238.78/32:11371 stream tcp
> #   connect 37.120.166.149/32:11371 stream tcp
> #   connect 37.250.89.239/32:11371 stream tcp
> #   connect 5.9.49.12/32:53 dgram udp
> #   connect 31.14.133.188/32:53 dgram udp
> #   connect 81.2.237.32/32:53 dgram udp
> #   connect 127.0.0.1/32:9050 stream tcp
> #   connect 127.0.0.1/32:9150 stream tcp
8482c8484
<    /var/tmp         
---
>    /var/tmp         rwcd
#


The big chunk is about the subject, which, at line 5843 of the grsec_170205_g5n_01, starts like this:

Code: Select all
# Role: miro
subject /usr/bin/dirmngr o
   /            


And, to tell all that I can
(
I can't post the complete current policy, and surely I have advanced a lot from the policies that I posted back when I was much less savvy about Gradm:
A no-poetterware desktop RBAC policy
viewtopic.php?f=5&t=4153
because I'm not so advanced to feel safe being sure that I have not made mistakes that could be costly for me if I revealed them...
)
, [and, to tell all that I can], being what I post a real-life output, I'll explain the difference at line 8482c8484 (8482 of _00 and 8484 of _01), by posting this:

# cat grsec_170205_g5n_01 | head -8491 | tail -72
Code: Select all
# Role: miro
subject /usr/lib64/palemoon/palemoon o
   /               h
   /Cmn            rw
   /mnt/CD            r
   /Cmn/dLo         rwc
   /boot            h
   /dev            
   /dev/dri         h
   /dev/dri/card0         rw
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/null         rw
   /dev/port         h
   /dev/snd         rw
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home            
   /home/miro         rw
   /home/miro/.cache      rwcd
   /home/miro/.config      
   /home/miro/.config/gtk-2.0   rwcd
   /home/miro/.local      
   /home/miro/.local/share      rwcd
   "/home/miro/.moonchild productions"   rwcd
#   "/home/miro/.moonchild productions/pale moon"   r
#   "/home/miro/.moonchild productions/pale moon/sre1mcun.default"   rwcd
   /home/miro/.mozilla      
   /home/miro/.sslkey.log      w
   /home/miro/Desktop         rwcd
   /lib/modules         h
   /lib64            rx
   /lib64/modules         h
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/self         r
   /proc/slabinfo         h
   /proc/sys         h
   /run            
   /sys            h
   /sys/devices/system/cpu/online   r
   /sys/devices/system/cpu/present   r
   /tmp            rwcd
   /usr            
   /usr/bin/qpdfview   x
   /usr/bin/vlc      x
   /usr/lib64         rx
   /usr/local         
   /usr/share         r
   /usr/src         h
   /var            h
   /var/cache         h
   /var/cache/fontconfig      r
   /var/tmp         rwcd
   -CAP_ALL
   bind 0.0.0.0/32:0 dgram ip
   connect 0.0.0.0/0:0 stream tcp
   connect 0.0.0.0/0:443 stream tcp
   connect 0.0.0.0/0:80 stream tcp
   connect 0.0.0.0/0:53 dgram udp
   sock_allow_family ipv6 netlink


So that " /var/tmp rwcd" of difference, while it is not related to GnuPG, is neither left a secret.
(
And that was a correct manual change. BTW, I recommend Palemoon. It's a more honest fork of its origin, the browser Firefox, no surveillance on users, as best I can tell.
)

Back to the "diff grsec_170205_g5n_0[01]". Do you see the mistake that I made in generalizing all the allowed connections to only:

Code: Select all
>    connect 0.0.0.0/0:11371 stream tcp
>    connect 0.0.0.0/0:53 dgram udp


?

And are there more mistakes there that I made... Was it correct the way that I edited it, as you'll see in the policies in bottom, to:

Code: Select all
>    connect 0.0.0.0/0:11371 stream dgram tcp udp
>    connect 0.0.0.0/0:53 stream dgram tcp udp


Maybe no, maybe yes. I don't remember seeing the 11371 port to go over anthing but HTTP, not yet, and so they are usually "stream tcp", and I haven't seen port 53 to be anything other than DNS, and DNS I haven't seen to be other than "dgram udp"... But...

But, the /etc/services holds:

Code: Select all
# cat /etc/services | grep -E '\<53\>|11371'
domain      53/tcp            # Domain Name Server
domain      53/udp
hkp      11371/tcp         # OpenPGP HTTP Keyserver
hkp      11371/udp
#


So it can't be wrong...

What is left out, and should be included? ( Just also to say here that I haven't tried this out, and I hope I won't have to eat my words... ;-) But I'm betting that I'm right about the following...)

These are left out, they are not allowed:
Code: Select all
> #   connect 127.0.0.1/32:9050 stream tcp
> #   connect 127.0.0.1/32:9150 stream tcp


And they should be. Meaning the comment '#' symbol must be removed. From the ~/.gnupg/dirmngr.conf which gets created automatically (because I don't have my .gnupg permanently present, esp. not when I am online, but rather I use auto-created temporary one when I am online, and mount the permanent one from USB stick in safe conditions only):

Code: Select all
/usr/share/gnupg/dirmngr-conf.skel


in my Gentoo FOSS GU Linux:

$ cat ~/.gnupg/dirmngr.conf | grep -A6 'exactly two keyservers are configured'
Code: Select all
# If exactly two keyservers are configured and only one is a Tor hidden
# service, Dirmngr selects the keyserver to use depending on whether
# Tor is locally running or not (on a per session base).

keyserver hkp://jirk5u4osbsr34t5.onion
keyserver hkp://keys.gnupg.net


Tor is not running here, not these days, but as you have seen there are these in the logs:

Code: Select all
grsec: (miro:U:/usr/bin/dirmngr) denied connect() to 127.0.0.1 port 9050 sock type stream protocol tcp by /usr/bin/dirmngr


in a few places in the first and the second post.

Why would the gpg2 try to connect to that tor port, when the system isn't running tor is a mistery to me, as of and up unto this time.

But that tor port was in Gradm learning, and I removed it by obvious mistake of mine.

Another mistery remains to me why it wouldn't receive the other of the two keys, 3F533109A9509B14, which I still haven't received yet.

But I'm almost done with this topic for today...

Just, finally, the complete policies for the GnuPG programs that I have used and that I have configured policies for.

Code: Select all
# Role: miro
subject /usr/bin/dirmngr o
   /            
   /boot            h
   /dev            h
   /dev/null         rw
   /dev/random         
   /dev/urandom         r
   /etc            h
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/passwd         h
   /etc/ppp         h
   /etc/samba/smbpasswd      h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ld.so.cache      r
   /etc/nsswitch.conf      r
   /etc/resolv.conf      r
   /etc/ssh         h
   /etc/ssl         r
#   /etc/ssl/certs/ca-certificates.crt   r
   /home            h
   /home/miro/.gnupg      
   /home/miro/.gnupg/S.dirmngr   wcd
   /home/miro/.gnupg/crls.d   rwc
   /home/miro/.gnupg/dirmngr.conf   r
   /home/miro/.sslkey.log      a
   /lib/modules         h
   /lib64            rx
   /lib64/modules         h
   /proc            rw
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys/vm/overcommit_memory   r
   /sys            h
   /usr            h
   /usr/bin         h
   /usr/bin/dirmngr      rx
   /usr/lib64         rx
   /usr/share         h
   /usr/share/gnupg   r
#   /usr/share/gnupg/sks-keyservers.netCA.pem   r
   /usr/share/locale      r
   /var/log         h
   -CAP_ALL
   bind 0.0.0.0/32:1024-65535 dgram ip udp
   bind 0.0.0.0/32:0 dgram ip udp
   connect 0.0.0.0/0:11371 stream dgram tcp udp
   connect 0.0.0.0/0:53 stream dgram tcp udp
   connect 127.0.0.1/32:9050 stream dgram tcp udp
   connect 127.0.0.1/32:9150 stream dgram tcp udp
#   connect 94.23.204.11/32:11371 stream tcp
#   connect 18.4.249.71/32:11371 stream tcp
#   connect 104.236.209.43/32:11371 stream tcp
#   connect 37.191.238.78/32:443 stream tcp
#   connect 5.9.49.12/32:53 dgram udp
#   connect 31.14.133.188/32:53 dgram udp
#   connect 81.2.237.32/32:53 dgram udp
#from cca 5 days previous learning:
#   connect 51.15.53.138/32:11371 stream tcp
#   connect 185.95.216.79/32:11371 stream tcp
#   connect 209.15.13.134/32:11371 stream tcp
#   connect 217.69.77.222/32:11371 stream tcp
#   connect 18.9.60.141/32:11371 stream tcp
#   connect 176.9.51.79/32:11371 stream tcp
#   connect 134.93.178.170/32:11371 stream tcp
#   connect 202.141.176.99/32:11371 stream tcp
#   connect 37.191.238.78/32:11371 stream tcp
#   connect 37.120.166.149/32:11371 stream tcp
#   connect 37.250.89.239/32:11371 stream tcp
#   connect 5.9.49.12/32:53 stream dgram tcp udp
#   connect 31.14.133.188/32:53 dgram udp
#   connect 81.2.237.32/32:53 dgram udp
   sock_allow_family ipv6


Code: Select all
# Role: miro
subject /usr/bin/gpg-agent o
   /            
   /boot            h
   /dev            h
   /dev/null         rw
   /dev/random         
   /dev/urandom         r
   /etc            h
   /etc/ld.so.cache      r
   /etc/localtime         r
   /home            h
   /home/miro/.gnupg      rwcd
   /home/miro/.gnupg/private-keys-v1.d   rwc
   /lib/modules         h
   /lib64            h
   /lib64/ld-2.23.so      x
   /lib64/libc-2.23.so      rx
   /lib64/libpthread-2.23.so   rx
   /mnt            r
   /the-usb-mount/.gnupg      rwcd
#   /the-usb-mount/.gnupg/S.gpg-agent   rwcd
#   /the-usb-mount/.gnupg/S.gpg-agent.browser   wcd
#   /the-usb-mount/.gnupg/S.gpg-agent.extra   wcd
#   /the-usb-mount/.gnupg/S.gpg-agent.ssh   wcd
#   /the-usb-mount/.gnupg/private-keys-v1.d   rwc
#   /the-usb-mount/.gnupg/private-keys-v1.d/F6116CD1CD52436EBEE8308117F2BEE3B6F85BDC.key   r
#   /the-usb-mount/.gnupg/private-keys-v1.d/CB9DFF3F7D603BDC16BFA592F926446AD95652F2.key   
   /proc            
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /sys            h
   /usr            h
   /usr/bin         h
   /usr/bin/gpg-agent      rx
   /usr/bin/pinentry-curses   x
   /usr/bin/pinentry-tty      x
   /usr/lib64         rx
   /usr/share         h
   /usr/share/locale      r
   /var/log         h
   -CAP_ALL
   bind   disabled
   connect   disabled
   sock_allow_family unix inet


Code: Select all
# Role: miro
subject /usr/bin/gpgconf o
   /            h
   /etc            h
   /etc/ld.so.cache      r
   /lib64            h
   /lib64/ld-2.23.so      x
   /lib64/libc-2.23.so      rx
   /usr            h
   /usr/lib64/libgcrypt.so.20.1.5   rx
   /usr/lib64/libgpg-error.so.0.21.0   rx
   /usr/lib64/locale/locale-archive   r
   -CAP_ALL
   bind   disabled
   connect   disabled


Code: Select all
# Role: miro
subject /usr/bin/gpg2 o
   /            
   /boot            h
   /dev            h
   /dev/null         rw
   /dev/pts         
   /dev/random         
   /dev/tty         rw
   /dev/urandom         r
   /etc            h
   /etc/inputrc         r
   /etc/ld.so.cache      r
   /etc/localtime         r
   /etc/terminfo         
   /home            h
   /home/miro         rwcdl
   /lib/modules         h
   /lib64            rx
   /lib64/modules         h
   /mnt            r
   /the-usb-mount         r
   /the-usb-mount/.gnupg      rwcdl
   /proc            
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /sys            h
   /tmp            r
   /usr            h
   /usr/bin         h
   /usr/bin/dirmngr      x
   /usr/bin/gpg-agent      x
   /usr/bin/gpg2         rx
   /usr/lib64         rx
   /usr/share         r
   /var/log         h
   -CAP_ALL
   bind   disabled
   connect   disabled
   sock_allow_family unix inet


Code: Select all
# Role: miro
subject /usr/libexec/gnupg/gpgkeys_hkp o
   /               h
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/passwd         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /proc            
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /usr            h
   /usr/libexec/gnupg/gpgkeys_hkp   rx
   -CAP_ALL
   bind 0.0.0.0/32:0 dgram ip
   connect 0.0.0.0/0:11371 stream dgram tcp udp
   connect 0.0.0.0/0:53 stream dgram tcp udp
   sock_allow_family ipv6 netlink


I hope this might be useful to newbies to Gradm. And on the other hand, if there are corrections/suggestions for improvements, I'll be thankful!

E.g., what I forgot to mention, Gradm is very slow to convert quite a lot of (more than 10) single HKP servers into the:
Code: Select all
    connect 0.0.0.0/0:11371 stream tcp

shorthand. I saw that such slowness wasn't the case with learning for other programs. Is there a reason for that slowness?

Regards!

Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr <-- HTTPS from now
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Last edited by timbgo on Mon Feb 06, 2017 12:46 pm, edited 1 time in total.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: GnuPG programs RBAC policies

Postby timbgo » Mon Feb 06, 2017 12:33 pm

Just one thing to add. If I'm not back within small number of days, the policies I posted in the third post work fine.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: GnuPG programs RBAC policies

Postby timbgo » Wed Feb 08, 2017 1:22 pm

I would still get (this is upon sending signed and/or encrypted mail):
Code: Select all
$ mutt
gpg: can't connect to the agent: IPC connect call failed
gpg: skipped "0x4FBAF0AE": No secret key
gpg: signing failed: No secret key
Press any key to continue...
Mailbox is unchanged.
$

even though the usb was mounted
(
BTW, forgot to mention earlier: on encrypted, with good password, mounted partition of a USB drive
)

So I made further changes. First:



And at first I could, upon gradm -D, followed by gradm -E on the modified policy, send PGP-signed/encrypted messages.

But then again, I would get:
Code: Select all
Feb  7 10:53:09 g0n kernel: [183777.765490] grsec: (miro:U:/bin/bash) exec of /bin/bash (sh -c gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode -u 0x4FBAF0AE /tmp/mutt-g0n-1000-18) by /bin/bash[mutt:18257] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:18243] uid/euid:1000/1000 gid/egid:1000/1000
Feb  7 10:53:09 g0n kernel: [183777.771874] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode -u 0x4FBAF0AE /tmp/mutt-g0n-1000-18243-11) by /usr/bin/gpg2[sh:18257] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:18243] uid/euid:1000/1000 gid/egid:1000/1000
Feb  7 10:53:09 g0n kernel: [183777.779226] grsec: (miro:U:/usr/bin/gpg2) denied connect() to the unix domain socket /the-usb-mount/.gnupg/S.gpg-agent by /usr/bin/gpg2[gpg:18257] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:18243] uid/euid:1000/1000 gid/egid:1000/1000
Feb  7 10:53:09 g0n kernel: [183777.779303] grsec: (miro:U:/usr/bin/gpg2) denied create of /the-usb-mount/.gnupg/.#lk0x0000005c1ba10180.g0n.18257 for writing by /usr/bin/gpg2[gpg:18257] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:18243] uid/euid:1000/1000 gid/egid:1000/1000


Made these changes:
diff grsec_170206_g5n_01 grsec_170207_g5n_00
Code: Select all
6240a6241
>    /home/miro/.gnupg         rwcdl
6245c6246
<    /the-usb-mount         r
---
>    /the-usb-mount         rwcdl



And again, at first, sending was fine. But then again, except these are a little more telling lines in the log:

Code: Select all
Feb  8 16:10:56 g0n kernel: [289251.059769] grsec: (miro:U:/bin/bash) exec of /bin/bash (sh -c gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode -u 0x4FBAF0AE /tmp/mutt-g0n-1000-10) by /bin/bash[mutt:1074] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:1063] uid/euid:1000/1000 gid/egid:1000/1000
Feb  8 16:10:56 g0n kernel: [289251.065829] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode -u 0x4FBAF0AE /tmp/mutt-g0n-1000-1063-993) by /usr/bin/gpg2[sh:1074] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:1063] uid/euid:1000/1000 gid/egid:1000/1000
Feb  8 16:10:56 g0n kernel: [289251.073710] grsec: (miro:U:/usr/bin/gpg2) chdir to / by /usr/bin/gpg2[gpg:1078] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg2[gpg:1074] uid/euid:1000/1000 gid/egid:1000/1000
Feb  8 16:10:56 g0n kernel: [289251.074165] grsec: (miro:U:/usr/bin/gpg-agent) exec of /usr/bin/gpg-agent (gpg-agent --homedir /home/miro/.gnupg --use-standard-socket --daemon ) by /usr/bin/gpg-agent[gpg:1080] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb  8 16:10:56 g0n kernel: [289251.076049] grsec: (miro:U:/usr/bin/gpg-agent) denied chmod of /the-usb-mount/.gnupg/private-keys-v1.d by /usr/bin/gpg-agent[gpg-agent:1080] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb  8 16:10:56 g0n kernel: [289251.076187] grsec: (miro:U:/usr/bin/gpg-agent) denied connect() to the unix domain socket /the-usb-mount/.gnupg/S.gpg-agent by /usr/bin/gpg-agent[gpg-agent:1080] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb  8 16:10:56 g0n kernel: [289251.076218] grsec: (miro:U:/usr/bin/gpg-agent) denied unlink of /the-usb-mount/.gnupg/S.gpg-agent by /usr/bin/gpg-agent[gpg-agent:1080] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0



So I added the (read man capabilities):
Code: Select all
   +CAP_FOWNER

to the gpg2 subject.

And it works, but am yet to see it it will continue to work... Obviously, this matter is not closed yet. If this now works, I'll give the complete policies again, that work for me, so the story is clear, in another few days from now (less urgent now).
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: GnuPG programs RBAC policies

Postby timbgo » Wed Feb 08, 2017 2:00 pm

I didn't read it correctly...
This part worked with the changes that I did:
timbgo wrote:...
Code: Select all
Feb  8 16:10:56 g0n kernel: [289251.059769] grsec: (miro:U:/bin/bash) exec of /bin/bash (sh -c gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode -u 0x4FBAF0AE /tmp/mutt-g0n-1000-10) by /bin/bash[mutt:1074] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:1063] uid/euid:1000/1000 gid/egid:1000/1000
Feb  8 16:10:56 g0n kernel: [289251.065829] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode -u 0x4FBAF0AE /tmp/mutt-g0n-1000-1063-993) by /usr/bin/gpg2[sh:1074] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:1063] uid/euid:1000/1000 gid/egid:1000/1000
Feb  8 16:10:56 g0n kernel: [289251.073710] grsec: (miro:U:/usr/bin/gpg2) chdir to / by /usr/bin/gpg2[gpg:1078] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg2[gpg:1074] uid/euid:1000/1000 gid/egid:1000/1000
Feb  8 16:10:56 g0n kernel: [289251.074165] grsec: (miro:U:/usr/bin/gpg-agent) exec of /usr/bin/gpg-agent (gpg-agent --homedir /home/miro/.gnupg --use-standard-socket --daemon ) by /usr/bin/gpg-agent[gpg:1080] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

But here I need to do similar changes to another subject, the /usr/bin/gpg-agent:
Code: Select all
Feb  8 16:10:56 g0n kernel: [289251.076049] grsec: (miro:U:/usr/bin/gpg-agent) denied chmod of /the-usb-mount/.gnupg/private-keys-v1.d by /usr/bin/gpg-agent[gpg-agent:1080] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb  8 16:10:56 g0n kernel: [289251.076187] grsec: (miro:U:/usr/bin/gpg-agent) denied connect() to the unix domain socket /the-usb-mount/.gnupg/S.gpg-agent by /usr/bin/gpg-agent[gpg-agent:1080] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb  8 16:10:56 g0n kernel: [289251.076218] grsec: (miro:U:/usr/bin/gpg-agent) denied unlink of /the-usb-mount/.gnupg/S.gpg-agent by /usr/bin/gpg-agent[gpg-agent:1080] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


Again, only with the same changes to that other subject it now worked. But only once it continues to work:
...I'll give the complete policies again, that work for me, so the story is clear, in another few days from now (less urgent now).
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: GnuPG programs RBAC policies

Postby timbgo » Sat Feb 11, 2017 5:27 pm

Also because of this:
Code: Select all
Feb 10 16:49:50 g5n kernel: [  703.290985] grsec: (miro:U:/usr/bin/gpg2) exec of /usr/bin/gpg2 (gpg --list-secret-keys ) by /usr/bin/gpg2[bash:4614] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4244] uid/euid:1000/1000 gid/egid:1000/1000
Feb 10 16:49:50 g5n kernel: [  703.310966] grsec: (miro:U:/usr/bin/gpg2) chdir to / by /usr/bin/gpg2[gpg:4615] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg2[gpg:4614] uid/euid:1000/1000 gid/egid:1000/1000
Feb 10 16:49:50 g5n kernel: [  703.312067] grsec: (miro:U:/usr/bin/gpg-agent) exec of /usr/bin/gpg-agent (gpg-agent --homedir /home/miro/.gnupg --use-standard-socket --daemon ) by /usr/bin/gpg-agent[gpg:4616] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 10 16:49:50 g5n kernel: [  703.317257] grsec: (miro:U:/usr/bin/gpg-agent) denied chmod of /the-usb-mount/.gnupg/private-keys-v1.d by /usr/bin/gpg-agent[gpg-agent:4616] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 10 16:49:50 g5n kernel: [  703.317331] grsec: (miro:U:/usr/bin/gpg-agent) denied mknod of /the-usb-mount/.gnupg/S.gpg-agent by /usr/bin/gpg-agent[gpg-agent:4616] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 10 16:49:55 g5n kernel: [  708.315822] grsec: (miro:U:/usr/bin/gpg2) chdir to / by /usr/bin/gpg2[gpg:4617] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg2[gpg:4614] uid/euid:1000/1000 gid/egid:1000/1000
Feb 10 16:49:55 g5n kernel: [  708.317081] grsec: (miro:U:/usr/bin/gpg-agent) exec of /usr/bin/gpg-agent (gpg-agent --homedir /home/miro/.gnupg --use-standard-socket --daemon ) by /usr/bin/gpg-agent[gpg:4618] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 10 16:49:55 g5n kernel: [  708.322125] grsec: (miro:U:/usr/bin/gpg-agent) denied chmod of /the-usb-mount/.gnupg/private-keys-v1.d by /usr/bin/gpg-agent[gpg-agent:4618] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 10 16:49:55 g5n kernel: [  708.322335] grsec: (miro:U:/usr/bin/gpg-agent) denied mknod of /the-usb-mount/.gnupg/S.gpg-agent by /usr/bin/gpg-agent[gpg-agent:4618] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 10 16:50:00 g5n kernel: [  713.320206] grsec: (miro:U:/usr/bin/gpg2) chdir to / by /usr/bin/gpg2[gpg:4619] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpg2[gpg:4614] uid/euid:1000/1000 gid/egid:1000/1000
Feb 10 16:50:00 g5n kernel: [  713.321441] grsec: (miro:U:/usr/bin/gpg-agent) exec of /usr/bin/gpg-agent (gpg-agent --homedir /home/miro/.gnupg --use-standard-socket --daemon ) by /usr/bin/gpg-agent[gpg:4620] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

this was needed:
Code: Select all
# diff /the-usb-mount/Tmp.d/grsec_170210_g0n_01 /etc/grsec/policy
6215d6214
<    +CAP_MKNOD
6274d6272
<    +CAP_MKNOD
g0n ~ #


TBO, that was with another same-content USB-stick... (surely encrypted like the first one).

I'm still not done with these policies. Because I've sent very little mail these days (so haven't encrypted/signe much at all).

At this stage when these policies are fully written and likely working mostly fine, there's no urgency to send mail just to check the policies...

Will be back.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: GnuPG programs RBAC policies

Postby timbgo » Fri Feb 17, 2017 12:39 pm

This is just a note about what I get. The first too lines only relate to GnuPG.
Code: Select all
# gradm -E
Warning: In role miro subject /usr/bin/gpg-agent, pathname "/home/miro/.gnupg/private-keys-v1.d":
A writable and symlinked directory "/home/miro/.gnupg" points to "/the-usb-mount/.gnupg".
Warning: write access is allowed to your subject for /home/miro/jpm/bin/jpm in role miro.  Please ensure that the subject is running with less privilege than the default subject.
#


And this is another minor change.
Code: Select all
# diff -u16 /etc/grsec/policy  grsec_170215_g0n_00
--- /etc/grsec/policy   2017-02-14 06:13:24.709958587 +0100
+++ grsec_170215_g0n_00   2017-02-15 14:23:24.499819097 +0100
@@ -1871,37 +1871,39 @@
    bind   disabled
    connect   disabled
 
 # Role: root
 subject /sbin/init o
    /            h
    /bin
    /bin/login         x
    /dev            h
    /dev/console         rw
    /dev/initctl         rw
    /dev/log         rw
    /run            h
    /run/utmp         rw
    /sbin            h
    /sbin/agetty         x
+   /usr/bin/gpg-agent      r
    /usr/sbin/conntrackd   r
    /var            h
    /var/log/wtmp         w
    /var/lib/dhcpcd         w
    -CAP_ALL
+   +CAP_MKNOD
    bind   disabled
    connect   disabled
 
 # Role: root
 subject /sbin/installkernel o
    /            h
    /bin            x
    /boot            wc
    /dev            h
    /dev/tty         rw
    /etc            h
    /etc/ld.so.cache      r
    /lib64            rx
    /lib64/modules         h
    /proc            h
    /proc/meminfo         r
# cp -iav grsec_170215_g0n_00 /etc/grsec/policy
cp: overwrite '/etc/grsec/policy'? y
'grsec_170215_g0n_00' -> '/etc/grsec/policy'
# gradm -D
Password:
# gradm -E


There's one more change, and then, maybe right away if I make it, the policies.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: GnuPG programs RBAC policies

Postby timbgo » Fri Feb 17, 2017 12:46 pm

Code: Select all
$ gpgconf --kill gpg-agent
gpgconf: error running '/usr/bin/gpg-connect-agent': probably not installed
gpgconf: error running '/usr/bin/gpg-connect-agent KILLAGENT': Configuration error
$


Code: Select all
Feb 16 15:57:43 g0n kernel: [176466.542759] grsec: (miro:U:/usr/bin/gpgconf) exec of /usr/bin/gpgconf (gpgconf --kill gpg-agent ) by /usr/bin/gpgconf[bash:28672] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5900] uid/euid:1000/1000 gid/egid:1000/1000
Feb 16 15:57:43 g0n kernel: [176466.547257] grsec: (miro:U:/usr/bin/gpgconf) denied access to hidden file /proc/28673/fd by /usr/bin/gpgconf[gpgconf:28673] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpgconf[gpgconf:28672] uid/euid:1000/1000 gid/egid:1000/1000
Feb 16 15:57:43 g0n kernel: [176466.549214] grsec: (miro:U:/usr/bin/gpgconf) denied access to hidden file /usr/bin/gpg-connect-agent by /usr/bin/gpgconf[gpgconf:28673] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpgconf[gpgconf:28672] uid/euid:1000/1000 gid/egid:1000/1000


Code: Select all
$ gpgconf --kill gpg-agent
gpgconf: error running '/usr/bin/gpg-connect-agent': probably not installed
gpgconf: error running '/usr/bin/gpg-connect-agent KILLAGENT': Configuration error
$ gpg-connect-agent -h
gpg-connect-agent (GnuPG) 2.1.18
Copyright (C) 2017 Free Software Foundation, Inc.
...
Options:
 
 -v, --verbose           verbose
 -q, --quiet             quiet
...
$


Code: Select all
Feb 16 16:01:46 g0n kernel: [176709.645431] grsec: (miro:U:/usr/bin/gpgconf) exec of /usr/bin/gpgconf (gpgconf --kill gpg-agent ) by /usr/bin/gpgconf[bash:28719] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5900] uid/euid:1000/1000 gid/egid:1000/1000
Feb 16 16:01:46 g0n kernel: [176709.650191] grsec: (miro:U:/usr/bin/gpgconf) denied access to hidden file /proc/28720/fd by /usr/bin/gpgconf[gpgconf:28720] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpgconf[gpgconf:28719] uid/euid:1000/1000 gid/egid:1000/1000
Feb 16 16:01:46 g0n kernel: [176709.654598] grsec: (miro:U:/usr/bin/gpgconf) denied access to hidden file /usr/bin/gpg-connect-agent by /usr/bin/gpgconf[gpgconf:28720] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gpgconf[gpgconf:28719] uid/euid:1000/1000 gid/egid:1000/1000
Feb 16 16:01:55 g0n kernel: [176717.923283] grsec: (miro:U:/usr/bin/gpg-connect-agent) exec of /usr/bin/gpg-connect-agent (gpg-connect-agent -h ) by /usr/bin/gpg-connect-agent[bash:28722] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5900] uid/euid:1000/1000 gid/egid:1000/1000
Feb 16 16:02:14 g0n kernel: [176737.254906] grsec: (miro:U:/bin/cat) exec of /bin/cat (cat ) by /bin/cat[bash:28723] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5900] uid/euid:1000/1000 gid/egid:1000/1000


Changes... are these (in parallel working on virtualization policies, the line numbers would not correspond to numbers in previous post in this topic):

Code: Select all
# diff -u13 grsec_170216_g0n_02 grsec_170216_g0n_03
--- grsec_170216_g0n_02   2017-02-16 15:03:18.416231467 +0000
+++ grsec_170216_g0n_03   2017-02-16 15:07:53.428216268 +0000
@@ -6249,26 +6249,28 @@
    connect   disabled
    sock_allow_family unix inet
 
 # Role: miro
 subject /usr/bin/gpgconf o
    /            h
    /dev/null         rw
    /etc            h
    /etc/ld.so.cache      r
    /lib64            h
    /lib64/ld-2.23.so      x
    /lib64/libc-2.23.so      rx
    /usr            h
+   /usr/bin
+   /usr/bin/gpg-connect-agent      rx
    /usr/share/locale   r
    /usr/lib64/libgcrypt.so.20.1.5   rx
    /usr/lib64/libgpg-error.so.0.21.0   rx
    /usr/lib64/locale/locale-archive   r
    -CAP_ALL
    bind   disabled
    connect   disabled
 
 ## Role: miro
 #subject /usr/bin/gpgparsemail ol
 #   /            h
 #   -CAP_ALL
 #   bind   disabled


And now, after first:

Code: Select all
$ gpgconf --kill gpg-agent


it works again...

But I could do something here to save me from too much typing...

Code: Select all
# for i in $(ls -1 /usr/bin/gpg*  /usr/bin/pinentry*); do if [ ! -L "$i" ]; then ls -1 $i ; fi ; done ;
/usr/bin/gpg2
/usr/bin/gpg-agent
/usr/bin/gpgconf
/usr/bin/gpg-connect-agent
/usr/bin/gpg-error
/usr/bin/gpgme-config
/usr/bin/gpgme-tool
/usr/bin/gpgparsemail
/usr/bin/gpgscm
/usr/bin/gpgsm
/usr/bin/gpgtar
/usr/bin/gpgv2
/usr/bin/pinentry-curses
/usr/bin/pinentry-tty


( and later I added /usr/bin/dirmngr )

That's the programs that it is natural that they can access each other btwn themselves. So I'll define a variable.


Code: Select all
for i in $(ls -1 /usr/bin/gpg*  /usr/bin/pinentry*); do if [ ! -L "$i" ]; then echo $i|sed 's/\(.*\)/\1\trx/' ; fi ; done ;
/usr/bin/gpg2   rx
/usr/bin/gpg-agent   rx
/usr/bin/gpgconf   rx
/usr/bin/gpg-connect-agent   rx
/usr/bin/gpg-error   rx
/usr/bin/gpgme-config   rx
/usr/bin/gpgme-tool   rx
/usr/bin/gpgparsemail   rx
/usr/bin/gpgscm   rx
/usr/bin/gpgsm   rx
/usr/bin/gpgtar   rx
/usr/bin/gpgv2   rx
/usr/bin/pinentry-curses   rx
/usr/bin/pinentry-tty   rx


is now ready for pasting, and I'll paste this define right after my, factory-made ( ;-) ) $grsec_denied at the top:

Code: Select all
define gpg_programs {
/usr/bin/gpg2   rx
/usr/bin/gpg-agent  rx
/usr/bin/gpgconf    rx
/usr/bin/gpg-connect-agent  rx
/usr/bin/gpg-error  rx
/usr/bin/gpgme-config   rx
/usr/bin/gpgme-tool rx
/usr/bin/gpgparsemail   rx
/usr/bin/gpgscm rx
/usr/bin/gpgsm  rx
/usr/bin/gpgtar rx
/usr/bin/gpgv2  rx
/usr/bin/pinentry-curses    rx
/usr/bin/pinentry-tty   rx
# usage:
# $gpg_programs
}


You realize that the note in bottom about the usage is very original, of course... (Only trying to joke.)

Code: Select all
diff -u13 /etc/grsec/policy grsec_170216_g0n_04
--- /etc/grsec/policy   2017-02-16 16:07:53.428216268 +0100
+++ grsec_170216_g0n_04   2017-02-16 16:56:27.462055220 +0100
@@ -256,26 +256,46 @@
    /proc/kcore   h
    /proc/slabinfo   h
    /proc/modules   h
    /proc/kallsyms   h
    # hide and suppress logs about accessing this path
    /lib/modules   hs
    /lib32/modules   hs
    /lib64/modules   hs
    /etc/ssh   h
 # usage:
 # $grsec_denied
 }
 
+define gpg_programs {
+/usr/bin/dirmngr   rx
+/usr/bin/gpg2   rx
+/usr/bin/gpg-agent   rx
+/usr/bin/gpgconf   rx
+/usr/bin/gpg-connect-agent   rx
+/usr/bin/gpg-error   rx
+/usr/bin/gpgme-config   rx
+/usr/bin/gpgme-tool   rx
+/usr/bin/gpgparsemail   rx
+/usr/bin/gpgscm   rx
+/usr/bin/gpgsm   rx
+/usr/bin/gpgtar   rx
+/usr/bin/gpgv2   rx
+/usr/bin/pinentry-curses   rx
+/usr/bin/pinentry-tty   rx
+# usage:
+# $gpg_programs
+}
+
 role shutdown sARG
 subject / rvka
    /
    /dev
    /dev/urandom   r
    /dev/random   r
    /etc      r
    /bin      rx
    /sbin      rx
    /lib      rx
    /lib32      rx
    /libx32      rx
    /lib64      rx
@@ -6165,30 +6185,27 @@
 #   the-usb-mount/.gnupg/private-keys-v1.d   rwc
 #   the-usb-mount/.gnupg/private-keys-v1.d/61D5243CD1CF616EBE7F2BEE3E830811B6BDCF85.key   r
 #   the-usb-mount/.gnupg/private-keys-v1.d/69DCB3F7DFF03B916BFADC92F522F46A64565D92.key   
    /proc            
    /proc/bus         h
    /proc/kallsyms         h
    /proc/kcore         h
    /proc/modules         h
    /proc/slabinfo         h
    /proc/sys         h
    /sys            h
    /usr            h
    /usr/bin         h
-   /usr/bin/gpg-agent      rx
-   /usr/bin/gpg-connect-agent      rx
-   /usr/bin/pinentry-curses   x
-   /usr/bin/pinentry-tty      x
+   $gpg_programs
    /usr/lib64         rx
    /usr/share         h
    /usr/share/locale      r
    /var/log         h
    -CAP_ALL
    +CAP_FOWNER
    +CAP_MKNOD
    bind   disabled
    connect   disabled
    sock_allow_family unix inet
 
 # Role: miro
 subject /usr/bin/gpg-connect-agent ol
@@ -6226,51 +6243,49 @@
    the-usb-mount         rwcdl
    the-usb-mount/.gnupg      rwcdl
    /proc            
    /proc/bus         h
    /proc/kallsyms         h
    /proc/kcore         h
    /proc/modules         h
    /proc/slabinfo         h
    /proc/sys         h
    /sys            h
    /tmp            r
    /usr            h
    /usr/bin         h
-   /usr/bin/dirmngr      x
-   /usr/bin/gpg-agent      x
-   /usr/bin/gpg2         rx
+   $gpg_programs
    /usr/lib64         rx
    /usr/share         r
    /var/log         h
    -CAP_ALL
    +CAP_FOWNER
    +CAP_MKNOD
    bind   disabled
    connect   disabled
    sock_allow_family unix inet
 
 # Role: miro
 subject /usr/bin/gpgconf o
    /            h
    /dev/null         rw
    /etc            h
    /etc/ld.so.cache      r
    /lib64            h
    /lib64/ld-2.23.so      x
    /lib64/libc-2.23.so      rx
    /usr            h
    /usr/bin
-   /usr/bin/gpg-connect-agent      rx
+   $gpg_programs
    /usr/share/locale   r
    /usr/lib64/libgcrypt.so.20.1.5   rx
    /usr/lib64/libgpg-error.so.0.21.0   rx
    /usr/lib64/locale/locale-archive   r
    -CAP_ALL
    bind   disabled
    connect   disabled
 
 ## Role: miro
 #subject /usr/bin/gpgparsemail ol
 #   /            h
 #   -CAP_ALL
 #   bind   disabled


This appears to be working fine now...

Next, I hope right away, the (likely final) policies.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: GnuPG programs RBAC policies

Postby timbgo » Fri Feb 17, 2017 1:03 pm

I'll use this command:

Code: Select all
# grep -B1 -100 -E 'define gpg_programs|subject \/sbin\/init o|^subject \/usr\/bin\/gpg|^subject \/usr\/bin\/dirmngr' grsec_170217_g0n_00


But I will manually remove excess lines. So these are my (very likely working) policies:

Code: Select all
define gpg_programs {
/usr/bin/dirmngr   rx
/usr/bin/gpg2   rx
/usr/bin/gpg-agent   rx
/usr/bin/gpgconf   rx
/usr/bin/gpg-connect-agent   rx
/usr/bin/gpg-error   rx
/usr/bin/gpgme-config   rx
/usr/bin/gpgme-tool   rx
/usr/bin/gpgparsemail   rx
/usr/bin/gpgscm   rx
/usr/bin/gpgsm   rx
/usr/bin/gpgtar   rx
/usr/bin/gpgv2   rx
/usr/bin/pinentry-curses   rx
/usr/bin/pinentry-tty   rx
# usage:
# $gpg_programs
}
...
--
# Role: root
subject /sbin/init o
   /            h
   /bin
   /bin/login         x
   /dev            h
   /dev/console         rw
   /dev/initctl         rw
   /dev/log         rw
   /run            h
   /run/utmp         rw
   /sbin            h
   /sbin/agetty         x
   /usr
   /usr/bin
   /usr/bin/gpg-agent      rx
   /usr/sbin/conntrackd   r
   /var            h
   /var/log/wtmp         w
   /var/lib/dhcpcd         w
   -CAP_ALL
   +CAP_MKNOD
   bind   disabled
   connect   disabled
...
--
# Role: miro
subject /usr/bin/dirmngr o
   /            
   /boot            h
   /dev            h
   /dev/null         rw
   /dev/random         
   /dev/urandom         r
   /etc            h
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/passwd         h
   /etc/ppp         h
   /etc/samba/smbpasswd      h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ld.so.cache      r
   /etc/nsswitch.conf      r
   /etc/resolv.conf      r
   /etc/ssh         h
   /etc/ssl         r
#   /etc/ssl/certs/ca-certificates.crt   r
   /home            h
   /home/miro/.gnupg      rwcdl
#   /home/miro/.gnupg      
#   /home/miro/.gnupg/S.dirmngr   wcd
#   /home/miro/.gnupg/crls.d   rwc
#   /home/miro/.gnupg/dirmngr.conf   r
   /home/miro/.sslkey.log      a
   /lib/modules         h
   /lib64            rx
   /lib64/modules         h
   /proc            rw
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys/vm/overcommit_memory   r
   /sys            h
   /usr            h
   /usr/bin         h
   $gpg_programs
#   /usr/bin/dirmngr      rx
   /usr/lib64         rx
   /usr/share         h
   /usr/share/gnupg   r
#   /usr/share/gnupg/sks-keyservers.netCA.pem   r
   /usr/share/locale      r
   /var/log         h
   -CAP_ALL
   bind 0.0.0.0/32:1024-65535 dgram ip udp
   bind 0.0.0.0/32:0 dgram ip udp
   connect 0.0.0.0/0:11371 stream dgram tcp udp
   connect 0.0.0.0/0:53 stream dgram tcp udp
   connect 127.0.0.1/32:9050 stream dgram tcp udp
   connect 127.0.0.1/32:9150 stream dgram tcp udp
#   connect 94.23.204.11/32:11371 stream tcp
#   connect 18.4.249.71/32:11371 stream tcp
#   connect 104.236.209.43/32:11371 stream tcp
#   connect 37.191.238.78/32:443 stream tcp
#   connect 5.9.49.12/32:53 dgram udp
#   connect 31.14.133.188/32:53 dgram udp
#   connect 81.2.237.32/32:53 dgram udp
#from cca 5 days previous learning:
#   connect 51.15.53.138/32:11371 stream tcp
#   connect 185.95.216.79/32:11371 stream tcp
#   connect 209.15.13.134/32:11371 stream tcp
#   connect 217.69.77.222/32:11371 stream tcp
#   connect 18.9.60.141/32:11371 stream tcp
#   connect 176.9.51.79/32:11371 stream tcp
#   connect 134.93.178.170/32:11371 stream tcp
#   connect 202.141.176.99/32:11371 stream tcp
#   connect 37.191.238.78/32:11371 stream tcp
#   connect 37.120.166.149/32:11371 stream tcp
#   connect 37.250.89.239/32:11371 stream tcp
#   connect 5.9.49.12/32:53 stream dgram tcp udp
#   connect 31.14.133.188/32:53 dgram udp
#   connect 81.2.237.32/32:53 dgram udp
   sock_allow_family ipv6
...
--
# Role: miro
subject /usr/bin/gpg-agent o
   /            
   /boot            h
   /dev            h
   /dev/null         rw
   /dev/random         
   /dev/urandom         r
   /etc            h
   /etc/ld.so.cache      r
   /etc/localtime         r
   /home            h
   /home/miro/.gnupg      rwcdl
   /home/miro/.gnupg/private-keys-v1.d   rwcdl
   /lib/modules         h
   /lib64            h
   /lib64/ld-2.23.so      x
   /lib64/libc-2.23.so      rx
   /lib64/libpthread-2.23.so   rx
   /mnt            
   /mnt/sdd1         r
   /mnt/sdd1/.gnupg      rwcdl
#   /mnt/sdd1/.gnupg/S.gpg-agent   rwcd
#   /mnt/sdd1/.gnupg/S.gpg-agent.browser   wcd
#   /mnt/sdd1/.gnupg/S.gpg-agent.extra   wcd
#   /mnt/sdd1/.gnupg/S.gpg-agent.ssh   wcd
#   /mnt/sdd1/.gnupg/private-keys-v1.d   rwc
#   /mnt/sdd1/.gnupg/private-keys-v1.d/61D5243CD1CF616EBE7F2BEE3E830811B6BDCF85.key   r
#   /mnt/sdd1/.gnupg/private-keys-v1.d/69DCB3F7DFF03B916BFADC92F522F46A64565D92.key   
   /proc            
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /sys            h
   /usr            h
   /usr/bin         h
   $gpg_programs
   /usr/lib64         rx
   /usr/share         h
   /usr/share/locale      r
   /var/log         h
   -CAP_ALL
   +CAP_FOWNER
   +CAP_MKNOD
   bind   disabled
   connect   disabled
   sock_allow_family unix inet

# Role: miro
subject /usr/bin/gpg-connect-agent ol
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/bin/gpg2 o
   /            
   /Cmn            h
   /Cmn/dLo         rwc
   /Cmn/m*            rwc
   /Cmn/src*         rwc
   /boot            h
   /dev            h
   /dev/null         rw
   /dev/pts         
   /dev/random         
   /dev/tty         rw
   /dev/urandom         r
   /etc            h
   /etc/inputrc         r
   /etc/ld.so.cache      r
   /etc/localtime         r
   /etc/terminfo         
   /home            h
   /home/miro         rwcdl
   /home/miro/.gnupg         rwcdl
   /lib/modules         h
   /lib64            rx
   /lib64/modules         h
   /mnt            r
   /mnt/sdd1         rwcdl
   /mnt/sdd1/.gnupg      rwcdl
   /proc            
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /sys            h
   /tmp            r
   /usr            h
   /usr/bin         h
   $gpg_programs
   /usr/lib64         rx
   /usr/share         r
   /var/log         h
   -CAP_ALL
   +CAP_FOWNER
   +CAP_MKNOD
   bind   disabled
   connect   disabled
   sock_allow_family unix inet

# Role: miro
subject /usr/bin/gpgconf o
   /            h
   /dev/null         rw
   /etc            h
   /etc/ld.so.cache      r
   /lib64            h
   /lib64/ld-2.23.so      x
   /lib64/libc-2.23.so      rx
   /usr            h
   /usr/bin
   $gpg_programs
   /usr/share/locale   r
   /usr/lib64/libgcrypt.so.20.1.5   rx
   /usr/lib64/libgpg-error.so.0.21.0   rx
   /usr/lib64/locale/locale-archive   r
   -CAP_ALL
   bind   disabled
   connect   disabled

## Role: miro
#subject /usr/bin/gpgparsemail ol
#   /            h
#   -CAP_ALL
#   bind   disabled
#   connect   disabled

## Role: miro
#subject /usr/bin/gpgscm ol
#   /            h
#   -CAP_ALL
#   bind   disabled
#   connect   disabled

## Role: miro
#subject /usr/bin/gpgsm ol
#   /            h
#   -CAP_ALL
#   bind   disabled
#   connect   disabled

## Role: miro
#subject /usr/bin/gpgtar ol
#   /            h
#   -CAP_ALL
#   bind   disabled
#   connect   disabled

## Role: miro
#subject /usr/bin/gpgv2 ol
#   /            h
#   -CAP_ALL
#   bind   disabled
#   connect   disabled
...


And while manually editing, I first:
1) forgot I left:
Code: Select all
subject /usr/bin/gpg-connect-agent ol

unlearned. But can't learn it now. Doing virtualization.

2) decided not to remove from the post the other subjects from GnuPG programs that I haven't used yet, and which are commented out.

Happy hardening to everybody!

Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am


Return to RBAC policy development

cron