summaryrefslogtreecommitdiff
path: root/kernels/gradm/usr.patch
blob: b3e5e77abbfbb3b819ef1939db4da7c6f2c7d74d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
diff --git a/gradm_adm.c b/gradm_adm.c
index bdcfd7d..9681b3c 100644
--- a/gradm_adm.c
+++ b/gradm_adm.c
@@ -72,12 +72,13 @@ add_gradm_acl(struct role_acl *role)
 
 	gradm_name = gr_strdup(gradm_realpath);
 	if (gr_enable && strcmp(gradm_name, GRADM_PATH)) {
-		printf("You are attempting to use a gradm binary other "
-		       "than the installed version.  Depending on your "
+		printf("You are attempting to use a gradm binary (%s) other "
+		       "than the installed version (%s).  Depending on your "
 		       "policy, you could be locking yourself out of "
 		       "your machine by enabling the RBAC system with "
 		       "this binary.  Press \'y\' if you wish to ignore "
-		       "this warning, or any other key to cancel.\n>");
+		       "this warning, or any other key to cancel.\n>",
+		       gradm_name, GRADM_PATH);
 		if (getchar() != 'y')
 			exit(EXIT_FAILURE);
 	}
@@ -259,11 +260,6 @@ static void add_fulllearn_shutdown_acl(void)
 	ADD_OBJ("/dev/urandom", "r");
 	ADD_OBJ("/dev/random", "r");
 	ADD_OBJ("/etc", "r");
-	ADD_OBJ("/bin", "rx");
-	ADD_OBJ("/sbin", "rx");
-	ADD_OBJ("/lib", "rx");
-	ADD_OBJ("/lib32", "rx");
-	ADD_OBJ("/lib64", "rx");
 	ADD_OBJ("/usr", "rx");
 	ADD_OBJ("/proc", "r");
 	ADD_OBJ("/boot", "h");
@@ -276,9 +272,9 @@ static void add_fulllearn_shutdown_acl(void)
 	ADD_OBJ("/proc/slabinfo", "h");
 	ADD_OBJ("/proc/modules", "h");
 	ADD_OBJ("/proc/kallsyms", "h");
-	ADD_OBJ("/lib/modules", "hs");
-	ADD_OBJ("/lib32/modules", "hs");
-	ADD_OBJ("/lib64/modules", "hs");
+	ADD_OBJ("/usr/lib/modules", "hs");
+	ADD_OBJ("/usr/lib32/modules", "hs");
+	ADD_OBJ("/usr/lib64/modules", "hs");
 	ADD_OBJ("/etc/ssh", "h");
 	add_cap_acl(current_subject, "-CAP_ALL", NULL);
 
diff --git a/gradm_analyze.c b/gradm_analyze.c
index 74ec86f..da365a4 100644
--- a/gradm_analyze.c
+++ b/gradm_analyze.c
@@ -778,17 +778,17 @@ analyze_acls(void)
 			errs_found++;
 		}
 
-		if (!stat("/lib/modules", &fstat) && !check_permission(role, def_acl, "/lib/modules", &chk)) {
+		if (!stat("/usr/lib/modules", &fstat) && !check_permission(role, def_acl, "/usr/lib/modules", &chk)) {
 			fprintf(stderr,
-				"Writing access is allowed by role %s to /lib/modules, the directory which "
+				"Writing access is allowed by role %s to /usr/lib/modules, the directory which "
 				"holds kernel modules.\n\n",
 				role->rolename);
 			errs_found++;
 		}
 
-		if (!stat("/lib64/modules", &fstat) && !check_permission(role, def_acl, "/lib64/modules", &chk)) {
+		if (!stat("/usr/lib64/modules", &fstat) && !check_permission(role, def_acl, "/usr/lib64/modules", &chk)) {
 			fprintf(stderr,
-				"Writing access is allowed by role %s to /lib64/modules, the directory which "
+				"Writing access is allowed by role %s to /usr/lib64/modules, the directory which "
 				"holds kernel modules.\n\n",
 				role->rolename);
 			errs_found++;
diff --git a/gradm_defs.h b/gradm_defs.h
index 961a7b9..56d6378 100644
--- a/gradm_defs.h
+++ b/gradm_defs.h
@@ -4,9 +4,9 @@
 #ifndef GRSEC_DIR
 #define GRSEC_DIR		"/etc/grsec"
 #endif
-#define GRLEARN_PATH		"/sbin/grlearn"
-#define GRADM_PATH		"/sbin/gradm"
-#define GRPAM_PATH		"/sbin/gradm_pam"
+#define GRLEARN_PATH	"/usr/bin/grlearn"
+#define GRADM_PATH		"/usr/bin/gradm"
+#define GRPAM_PATH		"/usr/bin/gradm_pam"
 #define GRDEV_PATH		"/dev/grsec"
 #define GR_POLICY_PATH 		GRSEC_DIR "/policy"
 #define GR_PW_PATH 		GRSEC_DIR "/pw"
diff --git a/gradm_fulllearn.c b/gradm_fulllearn.c
index 4d10060..6ce744d 100644
--- a/gradm_fulllearn.c
+++ b/gradm_fulllearn.c
@@ -449,8 +449,8 @@ static const char *initial_roles_str =
 "\t/proc/slabinfo\th\n"
 "\t/proc/modules\th\n"
 "\t/proc/kallsyms\th\n"
-"\t/lib/modules\ths\n"
-"\t/lib64/modules\ths\n"
+"\t/usr/lib/modules\ths\n"
+"\t/usr/lib64/modules\ths\n"
 "\t/etc/ssh\th\n"
 "}\n\n"
 "role admin sA\n"
@@ -463,10 +463,6 @@ static const char *initial_roles_str =
 "\t/dev/urandom r\n"
 "\t/dev/random r\n"
 "\t/etc r\n"
-"\t/bin rx\n"
-"\t/sbin rx\n"
-"\t/lib rx\n"
-"\t/lib64 rx\n"
 "\t/usr rx\n"
 "\t/proc r\n"
 "\t$grsec_denied\n"