grsecurity forums


https://forums.grsecurity.net./

grsecurity,apache and __connect__?

https://forums.grsecurity.net./viewtopic.php?f=3&t=1622

Page 1 of 1

grsecurity,apache and __connect__?

PostPosted: Tue Dec 12, 2006 8:02 am
by `VL
i`m setting up grsecurity acls for apache webserver and have such message in logs:

Code: Select all
.../usr/sbin/apache2 denied connect() to 0.0.0.0 port 443 stream tcp ...


The question is: why apache needs to __connect__ ? As i understand, bind should be enough.

Adding connect part to ACL removes problem, but i want to know what is happening.

i asked apache people and they claim that apache doesn`t do connect(). I`ve straced apache process and only thing i found was:
24414 connect(5, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)


what do you think about all this ?

PostPosted: Tue Dec 12, 2006 7:34 pm
by spender
What version of grsecurity are you running (including patch date) and what kernel version?

-Brad

PostPosted: Wed Dec 13, 2006 3:22 am
by `VL
system is gentoo hardened,

kernel is hardened-sources-2.4.32-r7
grsecurity is 3100_grsecurity-2.1.8-2.4.32-200601211647.patch (from gentoo patches to kernel)
gradm is 2.1.8

PostPosted: Fri Dec 15, 2006 5:24 pm
by spender
Maybe the gentoo-modified patch is incorrect. From the code, I don't see any reason why a vanilla kernel with the grsecurity patch from the website would have this problem.

-Brad

PostPosted: Fri Dec 22, 2006 6:36 am
by `VL
upgraded to gentoo-hardened 2.4.33.4 with grsecurity-2.1.9-2.4.33.4-200611282125.patch

everything is ok.
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/