grsecurity forums

[shaman]

Hi all!

I have a problem with sendmail and spamassassin. After learning my acl is:

/usr/sbin/spamass-milter o {
/usr/lib/libssl.so.0.9.7 rx
/usr/lib/libcrypto.so.0.9.7 rx
/lib/libnss_compat-2.3.2.so rx
/lib/libnsl-2.3.2.so rx
/lib/libdl-2.3.2.so rx
/lib/libc-2.3.2.so rx
/lib/ld-2.3.2.so rx
/etc/passwd r
/etc/nsswitch.conf r
/etc/ld.so.cache r
/usr/bin/spamc xi
/usr/sbin/spamass-milter xi
/ h
-CAP_ALL
}
/opt/AVP/kavkeeper/kavkeeper o {
/var/runAvpCtl r
/usr/sbin/sendmail x
/tmp w
/opt/AVP/kavkeeper/kavkeeper x
/ r
/usr/share/zoneinfo r
/usr/lib r
/lib rx
/etc/grsec h
/etc r
/etc/mail r
/opt/AVP/etc/defUnix.node.bin rw
/opt/AVP/etc/defUnix.sl rw
/opt/AVP/etc/defUnix.atom.bin rw
/dev/null rw
/dev/log rw
/var/run r
-CAP_ALL
+CAP_NET_BIND_SERVICE
+CAP_NET_RAW
}
/usr/sbin/saslauthd o {
/usr/sbin/saslauthd x
/ h
+CAP_ALL
}
/usr/bin/spamd o {
/etc/mail rwa
/etc/shadow r
/usr/bin/spamd rx
/ h
+CAP_ALL
}
/usr/sbin/sendmail o {
/var/tmp
/var/spool
/var
/usr/lib/sasl2 rx
/usr/bin/procmail x
/usr/bin
/usr
/proc/stat r
/opt/AVP/kavkeeper
/opt/AVP
/opt
/dev/random r
/etc/mail rw
/etc/shadow r
/opt/AVP/kavkeeper/kavkeeper x
/var/spool/mail rw
/var/spool/mqueue rw
/var/spool/mqueue.kav rw
/var/spool/clientmqueue rw
/usr/share/zoneinfo r
/var/run rxw
/etc/mail/access.db rw
/lib rx
/usr/lib rx
/etc/grsec h
/etc r
/dev/null rw
/dev/log rw
/proc/loadavg r
/usr/bin/spamd xi
/usr/sbin/sendmail x
/ r
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_NET_RAW
}

But it's not work. In kern.log:

Jun 2 14:46:49 mail kernel: grsec: denied access to hidden file /etc/shadow by (spamd:30133) UID(1150) EUID(1150), parent (spamd:26650) UID(1150) EUID(1150)

Jun 2 14:46:49 mail kernel: grsec: denied open of /etc/mail/spamassassin/bayes_journal for appending by (spamd:30133) UID(1150) EUID(1150), parent (spamd:26650) UID(1150) EUID(1150)

Jun 2 14:46:49 mail kernel: grsec: denied open of /etc/mail/spamassassin/bayes.lock.mail.nutritek.ru.30133 for writing by (spamd:30133) UID(1150) EUID(1150), parent (spamd:26650) UID(1150) EUID(1150)

Jun 2 14:46:49 mail kernel: grsec: denied open of /etc/mail/spamassassin/auto_whitelist.lock.mail.nutritek.ru.30133 for writing by (spamd:30133) UID(1150) EUID(1150), parent (spamd:26650) UID(1150) EUID(1150)

Jun 2 14:46:49 mail kernel: grsec: From 192.168.99.73: denied connect to the unix domain socket /var/run/AvpCtl by (kavkeeper:645) UID(0) EUID(0), parent (sendmail:21016) UID(0) EUID(0)

Help me, please.
P.S. Sorry for my english.

[sekko]

The logs say:

grsec: denied open of xxxx for writing by spamd:30133) UID(1150) EUID(1150)

so, be sure that ACL applies to the user with UID 1150 and not to root only!

-- Claudio

[spender]

/dev/null rw
/dev/log rw
/proc/loadavg r
/usr/bin/spamd xi
/usr/sbin/sendmail x

note the /usr/bin/spamd line. That's the problem. Grsecurity won't automatically fix any errors you manually throw into the configuration. The inherit flag means that when executing /usr/bin/spamd, it won't use the spamd subject that was learned.

-Brad

[shaman]

The logs say:

grsec: denied open of xxxx for writing by spamd:30133) UID(1150) EUID(1150)

so, be sure that ACL applies to the user with UID 1150 and not to root only!

-- Claudio

I read manual but can't find anything about it. How can i do that?

[onyx]

/dev/null rw
/dev/log rw
/proc/loadavg r
/usr/bin/spamd xi
/usr/sbin/sendmail x

note the /usr/bin/spamd line. That's the problem. Grsecurity won't automatically fix any errors you manually throw into the configuration. The inherit flag means that when executing /usr/bin/spamd, it won't use the spamd subject that was learned.

-Brad

Brad has already answered your question, bt I think you didn't notice. Remove the i flag from /usr/bin/spamd (as spender said).
so instead of /usr/bin/spamd xi you'll have /usr/bin/spamd x

bye

[shaman]

OK, thank you. It's work now.