diff --git a/gradm_adm.c b/gradm_adm.c index bdcfd7d..9681b3c 100644 --- a/gradm_adm.c +++ b/gradm_adm.c @@ -72,12 +72,13 @@ add_gradm_acl(struct role_acl *role) gradm_name = gr_strdup(gradm_realpath); if (gr_enable && strcmp(gradm_name, GRADM_PATH)) { - printf("You are attempting to use a gradm binary other " - "than the installed version. Depending on your " + printf("You are attempting to use a gradm binary (%s) other " + "than the installed version (%s). Depending on your " "policy, you could be locking yourself out of " "your machine by enabling the RBAC system with " "this binary. Press \'y\' if you wish to ignore " - "this warning, or any other key to cancel.\n>"); + "this warning, or any other key to cancel.\n>", + gradm_name, GRADM_PATH); if (getchar() != 'y') exit(EXIT_FAILURE); } @@ -259,11 +260,6 @@ static void add_fulllearn_shutdown_acl(void) ADD_OBJ("/dev/urandom", "r"); ADD_OBJ("/dev/random", "r"); ADD_OBJ("/etc", "r"); - ADD_OBJ("/bin", "rx"); - ADD_OBJ("/sbin", "rx"); - ADD_OBJ("/lib", "rx"); - ADD_OBJ("/lib32", "rx"); - ADD_OBJ("/lib64", "rx"); ADD_OBJ("/usr", "rx"); ADD_OBJ("/proc", "r"); ADD_OBJ("/boot", "h"); @@ -276,9 +272,9 @@ static void add_fulllearn_shutdown_acl(void) ADD_OBJ("/proc/slabinfo", "h"); ADD_OBJ("/proc/modules", "h"); ADD_OBJ("/proc/kallsyms", "h"); - ADD_OBJ("/lib/modules", "hs"); - ADD_OBJ("/lib32/modules", "hs"); - ADD_OBJ("/lib64/modules", "hs"); + ADD_OBJ("/usr/lib/modules", "hs"); + ADD_OBJ("/usr/lib32/modules", "hs"); + ADD_OBJ("/usr/lib64/modules", "hs"); ADD_OBJ("/etc/ssh", "h"); add_cap_acl(current_subject, "-CAP_ALL", NULL); diff --git a/gradm_analyze.c b/gradm_analyze.c index 74ec86f..da365a4 100644 --- a/gradm_analyze.c +++ b/gradm_analyze.c @@ -778,17 +778,17 @@ analyze_acls(void) errs_found++; } - if (!stat("/lib/modules", &fstat) && !check_permission(role, def_acl, "/lib/modules", &chk)) { + if (!stat("/usr/lib/modules", &fstat) && !check_permission(role, def_acl, "/usr/lib/modules", &chk)) { fprintf(stderr, - "Writing access is allowed by role %s to /lib/modules, the directory which " + "Writing access is allowed by role %s to /usr/lib/modules, the directory which " "holds kernel modules.\n\n", role->rolename); errs_found++; } - if (!stat("/lib64/modules", &fstat) && !check_permission(role, def_acl, "/lib64/modules", &chk)) { + if (!stat("/usr/lib64/modules", &fstat) && !check_permission(role, def_acl, "/usr/lib64/modules", &chk)) { fprintf(stderr, - "Writing access is allowed by role %s to /lib64/modules, the directory which " + "Writing access is allowed by role %s to /usr/lib64/modules, the directory which " "holds kernel modules.\n\n", role->rolename); errs_found++; diff --git a/gradm_defs.h b/gradm_defs.h index 961a7b9..56d6378 100644 --- a/gradm_defs.h +++ b/gradm_defs.h @@ -4,9 +4,9 @@ #ifndef GRSEC_DIR #define GRSEC_DIR "/etc/grsec" #endif -#define GRLEARN_PATH "/sbin/grlearn" -#define GRADM_PATH "/sbin/gradm" -#define GRPAM_PATH "/sbin/gradm_pam" +#define GRLEARN_PATH "/usr/bin/grlearn" +#define GRADM_PATH "/usr/bin/gradm" +#define GRPAM_PATH "/usr/bin/gradm_pam" #define GRDEV_PATH "/dev/grsec" #define GR_POLICY_PATH GRSEC_DIR "/policy" #define GR_PW_PATH GRSEC_DIR "/pw" diff --git a/gradm_fulllearn.c b/gradm_fulllearn.c index 4d10060..6ce744d 100644 --- a/gradm_fulllearn.c +++ b/gradm_fulllearn.c @@ -449,8 +449,8 @@ static const char *initial_roles_str = "\t/proc/slabinfo\th\n" "\t/proc/modules\th\n" "\t/proc/kallsyms\th\n" -"\t/lib/modules\ths\n" -"\t/lib64/modules\ths\n" +"\t/usr/lib/modules\ths\n" +"\t/usr/lib64/modules\ths\n" "\t/etc/ssh\th\n" "}\n\n" "role admin sA\n" @@ -463,10 +463,6 @@ static const char *initial_roles_str = "\t/dev/urandom r\n" "\t/dev/random r\n" "\t/etc r\n" -"\t/bin rx\n" -"\t/sbin rx\n" -"\t/lib rx\n" -"\t/lib64 rx\n" "\t/usr rx\n" "\t/proc r\n" "\t$grsec_denied\n"