I regularly get these messages in the log:
- Code: Select all
grsec: (root:U:/) use of CAP_SYS_ADMIN denied for /bin/nice[nice:5060] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:20059] uid/euid:0/0 gid/egid:0/0
grsec: (root:U:/) use of CAP_SYS_RESOURCE denied for /bin/nice[nice:5060] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:20059] uid/euid:0/0 gid/egid:0/0
grsec: (root:U:/) denied overstep of process limit by /bin/nice[nice:5060] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:20059] uid/euid:0/0 gid/egid:0/0
the subject is defined here:
- Code: Select all
subject /usr/sbin/run-crons o {
/ r
/bin rx
/bin/ln rxi
/bin/nice rxi
/bin/su r
/bin/touch rxi
/dev r
/dev/null rw
/dev/tty rw
/dev/urandom r
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/etc h
/etc/cron* rx
/etc/cron.daily/raidtools rxi
/etc/fstab r
/etc/mtab r
/etc/ld.so.cache r
/lib64 rx
/proc r
/proc/meminfo r
/proc/sys h
/proc/sys/kernel/version r
/usr/bin rx
/usr/bin/find rxi
/var h
/var/spool/cron rwcd
-CAP_ALL
+CAP_SYS_ADMIN
+CAP_SYS_RESOURCE
bind disabled
connect disabled
}
as you see, /bin/nice gets rxi (so i suppose it inherits the same ACL as run-crons subject) but it completely ignores SYS_ADMIN and SYS_RESOURCE. any idea what's wrong with this ACL?