Grsecurity denies unlink while delete is allowed
Posted: Tue Jul 26, 2005 6:34 amThis message is logged while I think I have given the process enough rights to delete the file (rm inherits the rights of the darbackup script):
The policy:
I am running kernel 2.4.31 with Grsecurity v2.1.6.
Jul 26 03:11:45 megumi grsec: (root:U:/etc/cron.daily/darbackup) denied unlink of /mnt/data/backup/megumi-260705-0310.1.dar by /bin/rm[rm:28934] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/darbackup[darbackup:11472] uid/euid:0/0 gid/egid:0/0
The policy:
- Code: Select all
subject /etc/cron.daily/darbackup o {
user_transition_allow root
group_transition_allow root
/
/bin xi
/dev
/dev/null rw
/dev/tty rw
/dev/urandom r
/etc h
/etc/grsec h
/etc/cron.daily/darbackup rx
/etc/group r
/etc/ld.so.cache r
/etc/mtab r
/etc/mutt r
/etc/nsswitch.conf r
/etc/passwd r
/etc/resolv.conf r
/lib rx
/proc
/proc/meminfo r
/proc/sys/kernel
/proc/sys/kernel/version r
/proc/kcore h
/proc/bus h
/root
/tmp rwcd
/usr h
/usr/bin h
/usr/bin/awk xi
/usr/bin/dar x
/usr/bin/md5sum xi
/usr/bin/mutt xi
/usr/bin/tail xi
/usr/lib h
/usr/lib/gconv rx
/usr/lib/libgdbm.so.* rx
/usr/sbin h
/usr/sbin/sendmail x
/usr/share
/usr/share/zoneinfo/Europe r
/var h
/var/run
# Backup storage location
/mnt/data/backup rd
$dev_hides | $dir_hides
-CAP_ALL
bind disabled
connect disabled
}
I am running kernel 2.4.31 with Grsecurity v2.1.6.