grsecurity forums

I'm using grsecurity 1.9.14 with the 2.4.25 kernel, and I'm having a problem with my ACL settings for sshd. sshd is attempting to open a socket every night at about 4:00 AM, which it seems is about the same time cron executes /etc/cron.daily, although I can't see anything in there that would be causing it. I have the following in the ACL for sshd:

Code: Select all

connect {
    0.0.0.0/0:53 dgram ip udp
    0.0.0.0/0:53 stream ip tcp
    0.0.0.0/0:113 dgram ip udp
}

bind {
    0.0.0.0/0:22 stream ip tcp
}


The log messages are as follows:

Code: Select all

Mar  2 04:02:18 sr71 kernel: grsec: attempted socket(2,2,0) by (sshd:7077) UID(0) EUID(0), parent (sh:13518) UID(0) EUID(0)
Mar  2 04:02:18 sr71 last message repeated 2 times


Has anyone seen this before? If not, is there any way I can track this down?

hopopt 0 HOPOPT # IPv6 Hop-by-Hop Option [RFC1883]

that is the last parameter of socket...

the socket call unraveled:
socket(PF_INET,SOCK_DGRAM,[HOPOPT])

You haven't enabled any IPv6-like supports?

I don't think I have. I checked sshd_config and the man page for it and there's nothing in there that explicitly enables IPv6.

According to /etc/protocols, protocol 0 is also the number for IP(v4).

I have two concerns here really:
1. Why is sshd attempting to open a socket?
2. Why is grsecurity blocking it when the rules suggest it should be allowed?