grsecurity forums

How do I allow ntpd to rename drift.TEMP to drift and vice versa? I thought that the rwcd on both file names would take care of it. I don't have any subjects for /sbin/init so I'm guessing that it falls under the role root as that who it is being run as. What am I missing?

Code: Select all

grsec: (root:U:/usr/sbin/ntpd) denied rename of /etc/ntp/drift.TEMP to /etc/ntp/drift by /usr/sbin/ntpd[ntpd:13008] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


Code: Select all

role root uG
...
subject /usr/sbin/ntpd o {
        /                               h
        /etc/ntp
        /etc/ntp/drift                  rwcd
        /etc/ntp/drift.TEMP             rwcd
        -CAP_ALL
        +CAP_IPC_LOCK
        +CAP_SYS_TIME
        bind    disabled
        connect 10.10.0.12/32:123 dgram udp
}