Hi,
I am running a 2.6.18.8 kernel with Xen, PaX and grsecurity on x86_64. I have manually merged together the Xen-3.1 and grsecurity-2.1.9-2.6.18.2-200611100917 patches. I previously did the same for a 2.6.16.46 kernel with Xen-3.0.4 and a grsecurity patch that I had lying around for a 2.6.16 kernel. The problem described below is shown on both the old and new configurations.
The problem is as follows: I am running clamav in a chroot (/chroot/clamav) as user clamav (uid 101). I have the follow role for this user:
role clamav u
subject / o {
/ h
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/bin/freshclam dpo {
/ h
/chroot/clamav
/chroot/clamav/dev/log rw
/chroot/clamav/dev/random r
/chroot/clamav/dev/urandom r
/chroot/clamav/etc r
/chroot/clamav/tmp rwcd
/chroot/clamav/var/run/clamav rwcd
/chroot/clamav/var/lib/clamav rwcd
/etc
/etc/fstab r
/etc/group r
/etc/grsec h
/etc/host.conf r
/etc/hosts r
/etc/ld.so.cache r
/etc/libnss-mysql.cfg r
/etc/libnss-mysql-root.cfg r
/etc/mtab r
/etc/mysql/my.cnf r
/etc/nsswitch.conf r
/etc/pam.d r
/etc/passwd r
/etc/resolv.conf r
/etc/services r
/etc/ssl/certs r
/etc/ssh h
/lib rx
/usr/lib rx
-CAP_ALL
bind disabled
connect 127.0.0.1/32:53 dgram udp stream tcp
connect 10.10.40.1/24:53 dgram udp stream tcp
connect 0.0.0.0/0:80 stream tcp
}
subject /usr/sbin/clamd dpo {
/ h
/chroot/clamav
/chroot/clamav/dev/random r
/chroot/clamav/dev/urandom r
/chroot/clamav/etc r
/chroot/clamav/tmp rwcd
/chroot/clamav/var rwcd
/etc
/etc/fstab r
/etc/group r
/etc/grsec h
/etc/host.conf r
/etc/hosts r
/etc/ld.so.cache r
/etc/libnss-mysql.cfg r
/etc/libnss-mysql-root.cfg r
/etc/mtab r
/etc/mysql/my.cnf r
/etc/nsswitch.conf r
/etc/pam.d r
/etc/passwd r
/etc/resolv.conf r
/etc/services r
/etc/ssl/certs r
/etc/ssh h
/lib rx
/usr/lib rx
-CAP_ALL
bind 127.0.0.1/32:9000-9100 stream tcp
bind 127.0.0.1/32:3310 stream tcp
connect disabled
}
Using this policy, I am getting the following message about once per hour (whenever clamav tries to update itself):
grsec: (clamav:U:/usr/bin/freshclam) denied create of /chroot/clamav/var/lib/clamav/clamav-0b598ca331da441fb2c5153aaa0ae615/daily.info for writing by /usr/bin/freshclam[freshclam:28293] uid/euid:101/101 gid/egid:101/101, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
But this should be allowed by the follow rule from the above policy:
/chroot/clamav/var/lib/clamav rwcd
Can anyone see anything that I might have missed?
Have there been any updates to grsec in the last 6 months that might have fixed this that I could backport? Maybe something to do with the long pathname to the file? The RBAC system is working well appart from this message (with >2000 line policy file), so I'm confident that my Xen/GRSecurity patch merging is correct.
Unfortunately I can't update to a later kernel since I am restricted by Xen in that respect (very much looking forward to Xen + paravirt_ops/vmi).
Cheers,
Brad