[ubuntu-hardened] Fixed some bugs in the postinst and postrm
scripts of vSecurity packages, merged amd64 changes
Herman Bos
hbos at osso.nl
Sun Oct 16 13:06:13 CDT 2005
Lorenzo Hernández García-Hierro wrote:
>Regarding...
>
>$ sudo apt-get install vsecurity
> ...
> Setting up vsecurity-686 (0.3-0ubuntu1) ...
> FATAL: Error inserting vsecurity (/lib/modules/2.6.12-9-686/kernel/security/vsecurity.ko): Invalid argument
> !!! Capabilities module blocks vSecurity. For keeping capabilities set in current processes, a reboot is needed.
> !!! PLEASE, REBOOT.
>
>It's well known issue, and also note that the messages with '!!!' prefix
>are sent by the postinst script of the package. It happens when you are
>running with capabilities module loaded. For preventing processes to
>lost the capabilities settings assigned to them, Martin proposed to add
>a check. vSecurity needs a free slot within the LSM framework and thus,
>will reject to load if there's no stack'able space. Capabilities module
>uses one slot and SELinux another one, hence there's no room for a third
>module. Although, the capabilities module has the 'disable' parameter
>which allows us to implement the capabilities-related hooks in another
>module and get a free slot. vSecurity will load then.
>
>
>
I'm not totally into it but if I may ask what are the consequences of
disabling the capabilities module? It sounds pretty bad.
>The packages drop a file in the /etc/modprobe.d/ directory containing
>'options capability disable=1' and thus, will fix the issue but a reboot
>is needed for clean setup.
>
>
Its there but after boot:
[4294687.225000] VSEC: Failure registering vSecurity module with the kernel
[4294687.225000] VSEC: Failure registering vSecurity module with primary
security module.
>There's no need if you don't care about lossing the capabilities
>settings in the current processes, in such case go ahead:
>
> rmmod capability
> modprobe capability disable=1
> modprobe vsecurity
>
>
[4294984.068000] Capabilities disabled at initialization
[4294985.575000] VSEC: Registering vsecfs subsystem (sysfs).
[4294985.575000] VSEC: Access Control List of allsocket, type uid created.
[4294985.575000] VSEC: Access Control List of allsocket, type gid created.
[4294985.575000] VSEC: Access Control List of server_socket, type uid
created.
[4294985.575000] VSEC: Access Control List of server_socket, type gid
created.
[4294985.575000] VSEC: Access Control List of client_socket, type uid
created.
[4294985.575000] VSEC: Access Control List of client_socket, type gid
created.
[4294985.575000] VSEC: Access Control List of tpe, type uid created.
[4294985.575000] VSEC: Access Control List of tpe, type gid created.
[4294985.575000] VSEC: vSecurity engine initialized.
This works it seems.
Whats next? Whats in effect now? Is TPE working? Is there a group on
which it applies or one on which it does not? (that is how it works in
grsecurity).
For extra information, i installed your k7 ubuntu package (I have an k7
kernel running).
I don't mind helping a bit with the documentation on the wiki, but there
is not much to start with. :)
Groeten,
Herman Bos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20051016/6ddd5708/signature.pgp
More information about the ubuntu-hardened
mailing list