policy problem

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

policy problem

Postby osa » Tue Feb 27, 2007 4:21 am

Hi

In morring when cron is starting I have notice in logs:

grsec: (root:U:/usr/sbin/cron) denied access to hidden file /dev/log by /usr/sbin/cron[cron:23451] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/cron[cron:27441] uid/euid:0/0 gid/egid:0/0

subject /usr/sbin/cron o {
/ h
/bin h
/bin/bash x
/dev h
/dev/log rw
/etc r
/etc/grsec h
/etc/ssh h
/lib h
/lib/security/pam_env.so rx
/lib/security/pam_unix.so rx
/lib/tls/libcrypt-2.3.2.so rx
/usr/sbin/sendmail rx
/var h
/var/spool/cron/crontabs r
/root
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}

gradm version -> 2.1.8
grsecurity patch -> 2.6.14.4

Where is a error in policy?

-osa
osa
 
Posts: 13
Joined: Mon Dec 19, 2005 5:38 am

/dev/ h

Postby hmhansolo » Sat Mar 03, 2007 11:13 am

Remove '/dev/ h'... i believe if u hide /dev/ u will hide everything in it... instead just add '/dev'... without specifying any permissions, it will block all accesses, but the file will still be accessible...
hmhansolo
 
Posts: 32
Joined: Mon Jan 10, 2005 9:15 pm


Return to grsecurity support