Hello all,
I've successfully had my subjects and policy running for awhile without any issues. However recently I began noticing an issue when trying to introduce syslog-ng into the policy. Sometimes it seems to work and sometimes it does not. When it does not work it appears that the policy is not picking up the subject I have defined for it at all. As you can see in the error message below it is only showing (root:U:/) when it should be (root:U:/sbin/syslog-ng) I think this might have something to do with the fact that syslog-ng has a "supervising" process. Any help on this matter is appreciated. Thanks,
grsec error:
grsec: (root:U:/) denied socket(inet,stream,ip) by /sbin/syslog-ng[syslog-ng:3188] uid/euid:0/0 gid/egid:0/0, parent /sbin/syslog-ng[syslog-ng:3187] uid/euid:0/0 gid/egid:0/0
process list:
root 3187 1 0 Aug16 ? 00:00:00 supervising syslog-ng
root 3188 3187 0 Aug16 ? 00:48:56 /sbin/syslog-ng
grsec policy:
role root uG
...
role_allow_ip 0.0.0.0/0
---
subject /sbin/syslog-ng ho {
user_transition_allow root
group_transition_allow root
/ h
/chroot h
/chroot/dev/log rw
/chroot/etc/hosts r
/chroot/var/log rwcd
/dev h
/dev/log w
/etc h
/etc/group r
/etc/localtime
/etc/passwd r
/etc/syslog-ng/syslog-ng.conf r
/lib64 rx
/lib/syslog-ng rx
/proc h
/proc/kmsg r
/proc/sys
/var h
/var/log cw
/var/run/nscd/socket rw
-CAP_ALL
+CAP_SYS_ADMIN
bind 0.0.0.0/32:0 stream dgram ip tcp udp
connect <ip>/32:514 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:53 dgram udp
connect <ip>/32:514 stream tcp
}
Syslog-ng policy
5 posts
• Page 1 of 1
Syslog-ng policy
by ypirc » Fri Aug 24, 2012 11:41 am
- ypirc
- Posts: 3
- Joined: Fri Aug 24, 2012 10:50 am
Re: Syslog-ng policy
by spender » Fri Aug 24, 2012 12:20 pm
Which kernel is this? Are you using any inheritance rules in your policy?
Thanks,
-Brad
Thanks,
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Syslog-ng policy
by ypirc » Fri Aug 24, 2012 12:27 pm
Slightly old 2.6.28-grsec. We had driver issues with 2.6.3x. I do indeed have inheritance rules...do you suppose that is the issue?
Matching inheritance rule from the init.d subject:
/sbin rxi
Matching inheritance rule from the init.d subject:
/sbin rxi
- ypirc
- Posts: 3
- Joined: Fri Aug 24, 2012 10:50 am
Re: Syslog-ng policy
by spender » Fri Aug 24, 2012 1:15 pm
That's more than slightly old -- that's 4 years old! I'd strongly suggest that you try to resolve whatever driver issues you experienced and use one of our supported kernel versions. (Old) grsecurity or not, it's simply not safe to be running a kernel that old.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Syslog-ng policy
by ypirc » Fri Aug 24, 2012 2:02 pm
Thanks a lot for the response spender! You're the man 
We are working on some policy consolidation using include statements so once I have that complete I will work on the upgrade 
Thanks again!
We are working on some policy consolidation using include statements so once I have that complete I will work on the upgrade Thanks again!
- ypirc
- Posts: 3
- Joined: Fri Aug 24, 2012 10:50 am
5 posts
• Page 1 of 1