grsecurity forums

Hi!

Subject in default ACL/role (included from file "process")

subject /usr/sbin/logrotate:/bin/gzip {
/var/log/pacct* rw
}

# gradm -R
Password:
No object /bin/gzip found for nested subject /usr/sbin/logrotate:/bin/gzip specified on line 189 of /etc/grsec/process.

# ll /bin/gzip
-rwxr-xr-x 3 root root 51228 Aug 24 2001 /bin/gzip

# ll /usr/sbin/logrotate
-rwxr-xr-x 1 root root 31136 Sep 4 2001 /usr/sbin/logrotate

How come /bin/gzip not found?

Brad, u have my acl's, you should find this one commented.

TIA

You need an object for /bin/gzip in your logrotate subject.. The error isn't saying that the file doesn't exist, just that you need to add the object to your configuration.

-Brad

erm.. good point! tks

uhm..

ACL:

subject /usr/sbin/logrotate:/bin/gzip {
/var/log/pacct* rw
/bin/gzip rx
}

gradm:

No object /bin/gzip found for nested subject /usr/sbin/logrotate:/bin/gzip specified on line 189 of /etc/grsec/process.

If i have /bin/gzip rx to subject /usr/bin/logrotate, i get this:

Default ACL object not found for role default subject /bin/gzip
The RBAC system will not load until you correct this error.

If this is in the default role and default ACL, what would be the need to specify gzip as an object? logrotate should be able to use gzip with no problem, without expliciting so. No? Maybe not

You need to first have a /usr/sbin/logrotate subject. It should look like:


subject /usr/sbin/logrotate {
/bin/gzip rx
}

then, after that, your nested subject

subject /usr/sbin/logrotate:/bin/gzip {
/blahblah
}

-Brad

I'm starting to feel like a pain the ass...

My fault i didn't point this out in my previous post, it would avoid this one.. but i also did what u're saying.

And i get:

Default ACL object not found for role default subject /bin/gzip
The RBAC system will not load until you correct this error.

regards