grsecurity forums

Hi all

I have setup a policy with an administrative role:
role admin sA
subject / adkrvO
/ rwxcdml
/etc rwxcdmlW
+CAP_ALL

This is the only role that should be able to modify the ACL settings. It gets access to /etc/grsec/* , but when trying to reload the policy afterwards, gradm fails with the error: "readlink: Permission denied"

strace reveals that gradm is trying to read its own /proc/<pid>/exe, but gets an error (besides other strange messages):

# strace gradm -R
[...]

Password:
[...]

chdir("/etc/grsec") = 0
open("/etc/grsec/policy", O_RDONLY) = 3
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfff6108) = -1 ENOTTY (Inappropriate ioctl for device)
[...]

getpid() = 4377
readlink("/proc/4377/exe", 0xbfff514c, 4095) = -1 EACCES (Permission denied)
write(2, "readlink: Permission denied\n\n", 29readlink: Permission denied

) = 29
munmap(0xb7f65000, 4096) = 0
exit_group(1) = ?

The policy is then not reloaded. No error is logged to syslog or console.

Do I need to specify any further permissions for the admin role?

Thanks /markus