simple acl
Posted: Wed Mar 09, 2005 1:53 amI use default policy from gradm2
and acl:
role default
subject / {
/ h
/dev
/dev/log rw
/usr/bin/logger x
/lib x
/usr/bin x
/bin x
/sbin x
-CAP_ALL
connect disabled
bind disabled
}
role root ugG
role_allow_ip 0.0.0.0/32
subject / {
/ h
/dev h
/dev/log rw
/dev/initctl
/proc rh
/var rw
/bin x
/root
/sbin x
/usr x
/usr/bin/logger x
/usr/lib x
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/bin/logger {
/dev h
/dev/log rw
}
subject /bin/bash {
/dev h
/dev/log rw
}
run logger
$logger test
Mar 9 20:50:42 mus kernel: grsec: (default:D:/) denied connect() to the unix domain socket /dev/log by /usr/bin/logger[logger:23881] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23704] uid/euid:0/0 gid/egid:0/0
Please correct me.
and acl:
role default
subject / {
/ h
/dev
/dev/log rw
/usr/bin/logger x
/lib x
/usr/bin x
/bin x
/sbin x
-CAP_ALL
connect disabled
bind disabled
}
role root ugG
role_allow_ip 0.0.0.0/32
subject / {
/ h
/dev h
/dev/log rw
/dev/initctl
/proc rh
/var rw
/bin x
/root
/sbin x
/usr x
/usr/bin/logger x
/usr/lib x
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/bin/logger {
/dev h
/dev/log rw
}
subject /bin/bash {
/dev h
/dev/log rw
}
run logger
$logger test
Mar 9 20:50:42 mus kernel: grsec: (default:D:/) denied connect() to the unix domain socket /dev/log by /usr/bin/logger[logger:23881] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23704] uid/euid:0/0 gid/egid:0/0
Please correct me.
