grsecurity forums

[kukacz]

I need to restrict access to a file to be allowed by zope webserver script only. The Zope server is runned as a interpreted python code - there is no single file daemon like "httpd".
I created a renamed copy of python binary which I use to run the Zope server to be able to identify it in policy file. I added the following to the default role:

subject /
...
/dev/log r
/var/lib/zope/instancename r
/etc/restricted_file h


subject /usr/local/bin/python-myzope
/dev/log rw
/var/lib/zope/instancename rwx
/etc/restricted_file r

Then I reload the policy but scripts runned by Zope server still are not able to access those files. In syslog grsec reports:

Nov 23 10:47:06 myserver kernel: grsec: From 192.168.1.1: (default:D:/) denied connect to the unix domain socket /dev/log by /usr/sbin/kadmin[kadmin:25795] uid/euid:1000/1000 gid/egid:100/100, parent /usr/local/bin/python-myzope[python-myzope:24328] uid/euid:1000/1000 gid/egid:100/100
Nov 23 10:47:06 myserver kernel: grsec: From 192.168.1.1: (default:D:/) denied access to hidden file /etc/restricted_file by /usr/sbin/kadmin[kadmin:25795] uid/euid:1000/1000 gid/egid:100/100, parent /usr/local/bin/python-myzope[python-myzope:24328] uid/euid:1000/1000 gid/egid:100/100

Am I doing something wrong? Should I use some different design of rights to restrict the access?
Thank you.

kukacz

[Hue-Bond]

>subject /
> /dev/log r
> /var/lib/zope/instancename r
> /etc/restricted_file h
>Nov 23 10:47:06 myserver kernel: grsec: From 192.168.1.1: (default:D:/)
>denied connect to the unix domain socket /dev/log by /usr/sbin/kadmin

Connecting to a socket requires write access to it.