Kevin Day thekevinday at
Mon Nov 3 16:25:25 PST 2008

On Sun, Nov 2, 2008 at 11:08 PM, Robert Connolly
<robert at> wrote:
> When trying to load gradm on boot, as early as possible, I'm running into
> problems.
> The mountfs boot script doesn't mount / read-write until after kernfs, udev,
> swap, and checkfs. Gradm learning can't save it's log until filesystems are
> mounted writable, and gradm doesn't work without /dev/grsec.
> So I think /dev/grsec should become an essential device, created before udev
> is loaded, so gradm can be enabled as soon as possible. I
> think /etc/rc.d/init.d/grsec should be the first boot script, and if
> necessary mount a writable tmpfs for the learning log, maybe under /root.
> In particular I want acl rules for /sbin/agetty and /bin/login.
> It looks like /bin/login is what needs capabilities. I'm thinking to
> make /bin/login executable only by the 'login' group, which agetty and sshd
> users are a part of, and give /bin/login CAP_CHOWN, CAP_FOWNER, CAP_FSETID,
> CAP_SETGID, and CAP_SETUID, so agetty and sshd users can drop root, except
> that normal users also use /bin/login. Filesystem Posix capabilities markings
> do not distinguish, yet, between owner, group, and other permissions.
> Perhaps /bin/login needs to be copied to /bin/login.caps, to deal with suid
> logins. We have exactly the same problem with /bin/dd feeding
> klogd... /bin/dd has sys_cap_admin capabilities.
> Gradm acl's can enforce these rules, but I also want userland (libcap and file
> system permissions) to only give permissions as needed, so that gradm acl's
> shouldn't need enforcement, and so logs of acl violations are kept to a
> minimum.
> Libcap gives the program the guns, and gradm acl's strip searches the program
> to check that they only have the guns they are authorized to have. We need
> both... one can not be depended on to replace the other.
> I'm curious if there is advice for me on how to generalize the issue
> with /bin/login and /bin/dd (for klogd), and loading gradm very early during
> boot.
> robert

You could create and use an initrd to perform some pre-init
functionality as needed.

Kevin Day

More information about the hlfs-dev mailing list