grsecurity forums

[davidc]

I've used full system learning to create my policy and I'm now checking through it to find mistakes I made. The first subject for the user 'apache' is /. All it does is hides / and specify -CAP_ALL. The only other subject is /usr/sbin/apache2, which specifically hides other directories such as /etc/ssh, /etc/grsec (etc.). Is there any reason it hides these specifically and overrides the hidden /?

Would it be better to remove the o and specify only the directories Apache needs to access? Or leave the o and deny the ones it shouldn't?

Code: Select all

subject /usr/sbin/apache2 o {
        /
        /etc/services                   r
        /home                           r
        /usr/share/mysql/charsets/Index r
        /var/run/mysqld/mysqld.sock     rw
        /etc/ssh                        h
        /etc/grsec                      h
        /dev/grsec                      h
        /proc/kcore                     h
        /proc/sys                       h
        /etc/shadow                     h
        /etc/passwd                     h
        /var/log                        h
        /dev/mem                        h
        /dev/kmem                       h
        /dev/port                       h
        /dev/log                        h
        -CAP_ALL
        bind    disabled (this will, obviously, need changing)
        connect disabled
}