acl trouble

Submit your RBAC policies or suggest policy improvements

acl trouble

Postby Energ » Sun Aug 08, 2004 12:06 pm

I have popa3d server that starts as root:
Aug 8 20:08:27 ponch kernel: grsec: From 192.168.200.2: denied connect to the unix domain socket /dev/log by /usr/sbin/popa3d[popa3d:20358] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/popa3d[popa3d:16500] uid/euid:0/0 gid/egid:0/0
Aug 8 20:08:27 ponch kernel: grsec: From 192.168.200.2: denied access to hidden file /dev/log by /usr/sbin/popa3d[popa3d:16602] uid/euid:1001/1001 gid/egid:100/100, parent /usr/sbin/popa3d[popa3d:16500] uid/euid:0/0 gid/egid:0/0

I added /dev/log rw for /usr/sbin/popa3d subject but this messeges still drop into debug log.
If i adding it /dev/log rw for root role i got error from gradm about hole in my acl config. How to be?
Energ
 
Posts: 9
Joined: Thu Jul 29, 2004 8:29 am

Postby spender » Mon Aug 09, 2004 9:31 am

If you update to 2.0.1, the logs will give you more information that will help you solve your problem.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Energ » Mon Aug 09, 2004 12:01 pm

I just cant understand how it works.
---------------------------------------------
Aug 9 19:57:51 ponch kernel: grsec: From 10.3.1.200: (default:D:/) denied open of /var/log/vsftpd/vsftpd.log for appending by /usr/sbin/vsftpd[vsftpd:9737] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/vsftpd[vsftpd:8850] uid/euid:0/0 gid/egid:0/0

root role got "ra" access to /var/log/vsftpd/vsftpd.log and subject /usr/sbin/vsftpd got same perm. Aslo ftp user got "ra". But still this dropping to debug.
----------------------------------------------

Aug 9 19:55:59 ponch kernel: grsec: (default:D:/) use of CAP_SYS_MODULE denied for /sbin/modprobe[modprobe:7907] uid/euid:0/0 gid/egid:0/0, parent /sbin/devfsd[devfsd:153] uid/euid:0/0 gid/egid:0/0

root, /sbin/modprobe and /sbin/devfsd got +CAP_SYS_MODULE

----------------------------------------------
Aug 9 19:49:42 ponch kernel: grsec: From 192.168.200.2: (default:D:/) denied connect to the unix domain socket /dev/log by /usr/sbin/popa3d[popa3d:16752] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/popa3d[popa3d:20495] uid/euid:0/0 gid/egid:0/0

same trouble here. /usr/sbin/popa3d got "rw" for /dev/log and root got "r"
-----------------------------------------------

Plz, explian me, how solve this. May be there is special flug for subject or something esle.
Energ
 
Posts: 9
Joined: Thu Jul 29, 2004 8:29 am

Postby spender » Mon Aug 09, 2004 12:15 pm

Can you mail your policy to spender@grsecurity.net?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development