grsecurity forums

Hi all,

I'm using the latest stable release of grsecurity (1.9.9h I belive). I've set up my ACLs real tight, but now I have a major problem.

grsec: denied open of /var/log/syslog for reading by (cat:29869) UID(0) EUID(0), parent (logcheck:3773) UID(0) EUID(0)

grsec: denied open of /var/log/auth.log for reading by (cat:32525) UID(0) EUID(0), parent (logcheck:7570) UID(0) EUID(0)

grsec: denied unlink of /var/lib/logcheck/cleaned/logcheck.cracking by (rm:2007) UID(0) EUID(0), parent (logcheck:30631) UID(0) EUID(0)

Now, logcheck is a script that has access to all of these files. But it runs other processes to actually get any information from them. I do not wish to open /var/log for reading to root nor would I like root to get /var/lib/logcheck rw. Is there any way arround this? Or do I need to run my loging on another machine...

Thanks,
Adam

You should try the inherit flags. Something along the lines of:

Code: Select all

/usr/bin/logcheck {
    /var/log r
    /var/lib/logcheck rw
    /bin/cat xi
}

Which will make cat inherit the acl when executed from within logcheck. (There is a better explanation in the documentation.) Note that root can execute logcheck which will modify the files, even though root can't modify the files directly. This may/may not be an issue depending on the structure of logcheck (how it parses command line aguments etc.).

Yes, that did it. Thanks!