grsecurity forums

[muaddib]

Hi, i'm confused with the unlink or hardlink feature
I have this subject in policy

subject /bin/mv o {
/ h
/bin h
/bin/mv x
/etc rx
/etc/ld.so.cache rx
/etc/selinux
/etc/selinux/config r
/etc/snort rwcldx
/etc/snort/snort.conf rwcld
/etc/snort/bpf_file rwcd
/etc/oldsnort rwdcx
/lib rx
/proc r
/proc/kcore h
/proc/sys h
/proc/bus h
/tmp rwd
/usr/lib/locale rx
/usr/share/locale rx
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FOWNER
+CAP_FSETID
}

From an ssh connexion, i cannot do a "ssh REMOTE cp /tmp/snort.conf /etc/snort/snort.conf", i receive :
Jun 24 17:55:55 s1 kernel: grsec: From 172.19.54.22: (default:D:/bin/cp) denied open of /etc/snort/snort.conf for writing by /bin/cp[cp:14615] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:27193] uid/euid:0/0 gid/egid:0/0
Jun 24 17:55:55 s1 kernel: grsec: From 172.19.54.22: (default:D:/bin/cp) denied unlink of /etc/snort/snort.conf by /bin/cp[cp:14615] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:27193] uid/euid:0/0 gid/egid:0/0

But "ssh REMOTE cp /tmp/bpf_file /etc/snort/bpf_file" works......

Here are files :
-rw-r--r-- 1 root root 48 jun 24 17:55 bpf_file
-rw-r--r-- 1 root root 29904 jun 17 16:09 snort.conf

I do not know what to do to correct it.
I even tried to give /etc/snort/snort.conf all rights in /, result is the same.

Thanks for reading

[spender]

You don't want to be putting subjects on mv or cp. You should use the inheritance feature on the processes that that are using these programs to copy or move files.

-Brad