gradm policy
gradm does not start with the stock policy shipped with alpine.
Error:
*Read access is allowed by role default to /sys, the directory which holds entries that often leak information from the kernel.
CAP_SYSLOG is not removed in role default. This would allow an attacker to view OOPs messages in dmesg that contain addresses useful for kernel exploitation.*
Warning: permission for symlink /etc/localtime in role default, subject
/ does not match that of its matching target object /etc. Symlink is
specified on line 31 of /var/lib/grsec/policy.d/00-base.
Warning: permission for symlink /dev/cdrom in role default, subject /
does not match that of its matching target object /dev. Symlink is
specified on line 30 of /var/lib/grsec/policy.d/00-base.
Warning: permission for symlink /etc/localtime in role default, subject
/sbin/gradm_pam does not match that of its matching target object /.
Symlink is specified on line 5 of /var/lib/grsec/policy.d/00-base.
There were 2 holes found in your RBAC configuration. These must be fixed
before the RBAC system will be allowed to be enabled.
Attached is an updated version of the policy.
(from redmine: issue id 8011, created on 2017-10-18)
- Uploads:
- 00-base /var/lib/grsec/policy.d/00-base