learning usage
Posted: Tue Nov 23, 2004 8:58 amHi all,
I have:
sarge
2.4.28
gradm2.0.2
I would like to create ACLs for my POSTFIX. I have tried a following:
in the "root" role:
subject /usr/lib/postfix lo {
/ h
bind disabled
connect disabled
}
after that:
gradm -L /etc/grsec/postfix.log -E
Postfix runs, sends the mails, but nothing in the log file...
After that, I have tried this ACL:
subject /usr/lib/postfix o {
/var/spool/postfix rw
/var/spool/postfix/lib rx
/var/mail w
/dev/log rw
/dev/null rw
/dev/urandom r
/etc/aliases
/etc/postfix rw
/etc r
/etc/grsec h
/lib rx
/usr/lib rx
/usr/share/zoneinfo r
/var/tmp rwcd
/ h
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
connect 0.0.0.0/0:53 stream dgram ip tcp udp
connect 0.0.0.0/0:25 stream ip tcp
bind disabled
}
And then I can see the following in the syslog:
Nov 22 01:46:04 gep kernel: grsec: From x.x.x.x: (root:U:/) denied access to
hidden file /dev/log by /usr/lib/postfix/smtpd[smtpd:12674] uid/euid:0/0
gid/egid:0/0, parent /usr/lib/postfix/master[master:7612] uid/euid:0/0
gid/egid:0/0
Nov 22 01:46:04 get kernel: grsec: From x.x.x.x: (root:U:/) denied access to
hidden file /etc/passwd by /usr/lib/postfix/smtpd[smtpd:12674] uid/euid:0/0
gid/egid:0/0, parent /usr/lib/postfix/master[master:7612] uid/euid:0/0
gid/egid:0/0
Nov 22 01:46:04 gep kernel: grsec: From x.x.x.x: (root:U:/) denied access to
hidden file /dev/log by /usr/lib/postfix/smtpd[smtpd:12674] uid/euid:0/0
gid/egid:0/0, parent /usr/lib/postfix/master[master:7612] uid/euid:0/0
gid/egid:0/0
Nov 22 01:46:37 gep kernel: grsec: From x.x.x.x: (root:U:/) use of CAP_SETGID
denied for /usr/lib/postfix/master[master:7612] uid/euid:0/0 gid/egid:0/0,
parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[...]
Nov 22 01:46:37 gep postfix/master[7612]: fatal: set_eugid: setegid(102):
Operation not permitted
It seems, that these processes DOES NOT match with the above subject name...
Why?????
Thx: Mitya
I have:
sarge
2.4.28
gradm2.0.2
I would like to create ACLs for my POSTFIX. I have tried a following:
in the "root" role:
subject /usr/lib/postfix lo {
/ h
bind disabled
connect disabled
}
after that:
gradm -L /etc/grsec/postfix.log -E
Postfix runs, sends the mails, but nothing in the log file...
After that, I have tried this ACL:
subject /usr/lib/postfix o {
/var/spool/postfix rw
/var/spool/postfix/lib rx
/var/mail w
/dev/log rw
/dev/null rw
/dev/urandom r
/etc/aliases
/etc/postfix rw
/etc r
/etc/grsec h
/lib rx
/usr/lib rx
/usr/share/zoneinfo r
/var/tmp rwcd
/ h
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
connect 0.0.0.0/0:53 stream dgram ip tcp udp
connect 0.0.0.0/0:25 stream ip tcp
bind disabled
}
And then I can see the following in the syslog:
Nov 22 01:46:04 gep kernel: grsec: From x.x.x.x: (root:U:/) denied access to
hidden file /dev/log by /usr/lib/postfix/smtpd[smtpd:12674] uid/euid:0/0
gid/egid:0/0, parent /usr/lib/postfix/master[master:7612] uid/euid:0/0
gid/egid:0/0
Nov 22 01:46:04 get kernel: grsec: From x.x.x.x: (root:U:/) denied access to
hidden file /etc/passwd by /usr/lib/postfix/smtpd[smtpd:12674] uid/euid:0/0
gid/egid:0/0, parent /usr/lib/postfix/master[master:7612] uid/euid:0/0
gid/egid:0/0
Nov 22 01:46:04 gep kernel: grsec: From x.x.x.x: (root:U:/) denied access to
hidden file /dev/log by /usr/lib/postfix/smtpd[smtpd:12674] uid/euid:0/0
gid/egid:0/0, parent /usr/lib/postfix/master[master:7612] uid/euid:0/0
gid/egid:0/0
Nov 22 01:46:37 gep kernel: grsec: From x.x.x.x: (root:U:/) use of CAP_SETGID
denied for /usr/lib/postfix/master[master:7612] uid/euid:0/0 gid/egid:0/0,
parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[...]
Nov 22 01:46:37 gep postfix/master[7612]: fatal: set_eugid: setegid(102):
Operation not permitted
It seems, that these processes DOES NOT match with the above subject name...
Why?????
Thx: Mitya