gentoo-hardened June 2008 archive
Main Archive Page > Month Archives  > gentoo-hardened archives
gentoo-hardened: Re: [gentoo-hardened] ptrace and gdb

Re: [gentoo-hardened] ptrace and gdb

From: Julien Thomas <julien.thomas_at_nospam>
Date: Mon Jun 16 2008 - 14:01:45 GMT
To: gentoo-hardened@lists.gentoo.org


Good afternoon (and this time is it afternoon, not 2 AM ;D).

I success to solve my problem so I post the answer.

1° take care of the domain of slapd : if launched with sysadm_r role, the process is well started and get the slapd_t domain. If launched with staff_r (the default one, at least in my case), it get the domain staff_r. I made the mistake during some tests ...

2° the policy :

module gbd_slapd_attach 1.0 ;

require{ type slapd_t; type sysadm_t; class process {signal ptrace transition noatsecure rlimitinh siginh getsched setsched getsession getpgid setpgid getcap setcap sigchld getattr};
}

allow slapd_t sysadm_t:process {getattr sigchld signal}; allow sysadm_t slapd_t:process {ptrace getsched setsched getsession getpgid setpgid getcap setcap };

Best regards,
Julien Thomas

PS: this policy is used in a non-professional context and may thus be reinforced in environment professional ones ;D

julien.thomas@telecom-bretagne.eu a écrit :
> Good afternoon.
>
> I would like to be able to trace the slapd daemon (slapd_t type) with
> gdb, and more
> precisely to interact with it.
>
> However, when i perform the attach command of gdb, I get a
> ptrace: Permission denied. with no avc log ...
>
> I added the following authorization but it seems to be not enough.
> the process gdb and slapd have to the following types :
>
> system_u:system_r:slapd_t 5930 ? Ssl 0:00
> /usr/lib/openldap/slapd
> root:sysadm_r:sysadm_t 5818 pts/0 S+ 0:00 gdb
>
> ---- additional SELinux module
> module gbd_attach 1.0 ;
>
> require{
> type slapd_t;
> type sysadm_t;
> class file {execute getattr read} ;
> class process {signal ptrace transition noatsecure rlimitinh
> siginh getsched
> setsched getsession getpgid setpgid getcap setcap};
> }
>
> allow slapd_t sysadm_t:process {signal ptrace};
> allow sysadm_t slapd_t:process {noatsecure rlimitinh siginh transition
> getsched setsched getsession getpgid setpgid getcap setcap
> };
>
> Thanks.
>
> Best regards,
> Julien Thomas
>
>
-- My RSA public key for email authentication is available at http://perso.telecom-bretagne.eu/julienthomas/technical_informations/ and on the PGP server http://subkeys.pgp.net (id 0x43E623F5) My (google) calendars (for meeting arrangement) Thesis : http://www.google.com/calendar/embed?src=d3te2j26l4g7qah12a9q4vpiu4%40group.calendar.google.com&ctz=Europe/Paris Personnal (only disponibility) : http://www.google.com/calendar/embed?src=julien.thomas.1%40gmail.com&ctz=Europe/Paris

-- gentoo-hardened@lists.gentoo.org mailing list