grsecurity forums

Hitting the following issue with my RBAC policy:

Code: Select all

grsec: (root:U:/etc/cron.daily) denied create of /var/lib/mlocate/daily.lock for writing by /bin/touch[touch:2970] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/mlocate[mlocate:2968] uid/euid:0/0 gid/egid:0/0

Here's the relevant parts of the subject (lots of objects that aren't relevant omitted):

Code: Select all

# Role: root
subject /etc/cron.daily odspkA {
user_transition_allow man debian-spamd
group_transition_allow man debian-spamd

        /
        /bin                            rxi
        /lib                            rxi
        /lib/modules                    h
        /lib64/modules                  h
        /proc                           r
        /proc/bus                       h
        /proc/kallsyms                  h
        /proc/kcore                     h
        /proc/modules                   h
        /proc/slabinfo                  h
        /sbin
        /sbin/runlevel                  xi
        /sbin/start-stop-daemon         xi
        /sbin/killall5                  xi
        /srv
        /usr
        /usr/bin                        rxi
        /usr/include
        /usr/include/libxml2
        /usr/lib                        rxi
        /usr/local/lib/mod_security2.so rxi
        /usr/sbin                       rxi
        /usr/share                      r
        /var
        /var/backups                    rwcd
        /var/cache                      w
        /var/cache/apache2
        /var/cache/apt                  rwcda
        /var/cache/man
        /var/lib                        r
        /var/lib/dpkg                   rw
        /var/lib/ghostscript
        /var/lib/imapproxy
        /var/lib/logrotate
        /var/lib/logrotate/status       rw
        /var/lib/mlocate
        /var/lib/mlocate/daily.lock     wcd
        /var/lib/mlocate/mlocate.db*    rwcd



/etc/cron.daily/mlocate itself contains:

Code: Select all

#! /bin/bash

set -e

[ -x /usr/bin/updatedb.mlocate ] || exit 0

if which on_ac_power >/dev/null 2>&1; then
    ON_BATTERY=0
    on_ac_power >/dev/null 2>&1 || ON_BATTERY=$?
    if [ "$ON_BATTERY" -eq 1 ]; then
        exit 0
    fi
fi

##

LOCKFILE="/var/lib/mlocate/daily.lock"

trap "rm -f $LOCKFILE" EXIT

if [ -e "$LOCKFILE" ]; then
    echo >&2 "Warning: $LOCKFILE present, not running updatedb."
    exit 1
else
    touch "$LOCKFILE"
fi

##

# See ionice(1)
if [ -x /usr/bin/ionice ] &&
    /usr/bin/ionice -c3 true 2>/dev/null; then
    IONICE="/usr/bin/ionice -c3"
fi

$IONICE /usr/bin/updatedb.mlocate


So /bin/touch has xi, so it should be inheriting the policy, which includes create access for /var/lib/mlocate/daily.lock

Do I need read to allow for create?

Hi tjh,

The only thing I can think of here would be if that file was removed with the rm -f, but a hardlink existed to it somewhere, preventing the usual policy recreation from happening. Can you do a stat on the file to see if there are any active hardlinks to it?

-Brad