robert at linuxfromscratch.org
Tue Nov 4 17:25:19 PST 2008
An initrd would have been nicer, but I managed without it (I don't remember
ever making an initrd in my life). This is what I did to enable grsecurity
learning from boot:
# Assuming /dev/sda5 is your /
mount /dev/sda5 /mnt/sda5/
mknod -m 0622 /mnt/sda5/dev/grsec c 1 13
# gradm wants to write to /etc/grsec/.grlearn.pid for its pid file,
# so work around this:
mv -v /etc/grsec/ /etc/grsec.bak
mkdir -v -m 700 /root/grsec
ln -sv /root/grsec /etc/grsec
# Then add this to /etc/rc.d/init.d/mountkernfs after /proc is mounted.
mount -n -o mode=700 -t tmpfs tmpfs /root/grsec;
cp /etc/grsec.bak/* /root/grsec;
rm -f /root/grsec/.grlearn.pid;
gradm -F -L /root/grsec/learning.log;
# gradm needs /proc to readlink(1) the pid/exe files.
# I added the ;'s in hope that they will let the script
# continue even if the commands fail.
# After rebooting, gradm -S does not seem to work, and I can't authenticate.
# Never the less, I can get the new policy:
gradm -F -L /etc/grsec/learning.log -O /root/learning_policy.roles
# Remove the stuff in /etc/rc.d/init.d/mountkernfs and reboot again.
# Then cleanup:
mv /etc/grsec.bak /etc/grsec/
# Our fruits rest in /root/learning_policy.roles.
So, the end policy needs a lot of touching up, and udevd wasn't considered an
object... gradm considers udevd the script it ran from. This should get
cleaned up so each boot script has its own rules. gradm sorted them all
I got what I wanted, rules for /sbin/init say it needs CAP_SYS_ADMIN and
read-write access to /dev/console, /dev/initctl, /var/run/utmp, write-only
to /var/log/wtmp, execute permission on /etc/rc.d/init.d/rc, read
to /etc/localtime, and read on /bin/bash. Nothing else.
/sbin/agetty doesn't need capabilities, just some read and write to some files
and tty devices. It should be very easy to run agetty as a regular user.
/bin/login needs some capabilities, and might be a little tricky to run as a
normal user (bash --login) without capabilities.
I hope to enable gradm on the reboot, to control processes that are normally
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: not available
More information about the hlfs-dev