ACL Problem ?
Posted: Wed Sep 10, 2003 9:58 am
hi Guys, been running grsecurity (1.9.11 patch against 2.4.21 till I reboot with 1.9.12/2.4.22) and have finally finished trying to write my acl's. It not perfect yet, I've got a couple of cron jobs that still seem to be having problems, although I don't ket anything logged by gradm to indicate a problem with the acl (however they work fine with the acl's disabled).
I get the following errors mailed to me by cron;
/etc/cron.daily/exim:
/usr/bin/savelog: xmalloc: ../src/make_cmd.c:89: cannot allocate 67 bytes (0 bytes allocated)
/usr/bin/savelog: xmalloc: ../src/make_cmd.c:89: cannot allocate 67 bytes (0 bytes allocated)
/etc/cron.daily/logrotate:
sh: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Cannot allocate
memory
/etc/cron.daily/logrotate: line 4: 8557 Segmentation fault /usr/sbin/logrotate /etc/logrotate.conf
run-parts: /etc/cron.daily/logrotate exited with return code 139
savelog is just a shell script while logrotate is a binary and have the following relavent acl's
/usr/sbin/logrotate o {
/var/log/wtmp
/var/log rw
/var/lib/logrotate/status rw
/var/lib/logrotate
/usr/share/zoneinfo/Europe/London r
/tmp rw
/root r
/lib/libpopt.so.0.0.0 rx
/lib/libnss_compat-2.3.1.so rx
/lib/libnsl-2.3.1.so rx
/lib/libc-2.3.1.so rx
/lib/ld-2.3.1.so x
/etc/logrotate.d r
/etc r
/bin/bash x
/bin/gzip xi
/usr/sbin/logrotate x
/ h
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FOWNER
RES_FSIZE 50011 50011
RES_DATA 25440 25440
RES_STACK 17384 17384
RES_RSS 0 0
RES_NPROC 55 55
RES_NOFILE 8 8
RES_MEMLOCK 0 0
RES_AS 1790240 1790240
RES_LOCKS 0 0
connect {
disabled
}
bind {
disabled
}
}
/usr/bin/savelog o {
/
/opt rx
/home rx
/mnt r
/dev
/dev/null rw
/dev/pts rw
/dev/ptmx rw
/dev/tty rw
/dev/console rw
/dev/mem h
/dev/kmem h
/dev/port h
/dev/zero rw
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/etc/init.d h
/etc/shadow- h
/etc/shadow r
/proc rxw
/proc/sys r
/proc/kcore h
/root r
/tmp rw
/var rx
/var/cache rw
/var/spool rw
/var/run rw
/var/tmp rw
/boot r
/etc/grsec h
/var/backups rw
/dev/log rw
/var/log rw
/bin/mv irx
/bin/rm irx
/bin/ln irx
/bin/bash irx
/bin/gzip irx
/usr/bin/touch irx
/bin/chmod irx
/bin/chgrp irx
/bin/chown irx
/usr/bin/basename rx
/bin/cat irx
/sbin/start-stop/daemon irx
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FOWNER
+CAP_CHOWN
+CAP_SYS_ADMIN
+CAP_SYS_RESOURCE
+CAP_IPC_LOCK
-CAP_ALL
}
As I don't get any errors logged I'm a bit lost as to what is causing these tasks to fail, so if anyone has any suggestions I'd be very grateful.
I get the following errors mailed to me by cron;
/etc/cron.daily/exim:
/usr/bin/savelog: xmalloc: ../src/make_cmd.c:89: cannot allocate 67 bytes (0 bytes allocated)
/usr/bin/savelog: xmalloc: ../src/make_cmd.c:89: cannot allocate 67 bytes (0 bytes allocated)
/etc/cron.daily/logrotate:
sh: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Cannot allocate
memory
/etc/cron.daily/logrotate: line 4: 8557 Segmentation fault /usr/sbin/logrotate /etc/logrotate.conf
run-parts: /etc/cron.daily/logrotate exited with return code 139
savelog is just a shell script while logrotate is a binary and have the following relavent acl's
/usr/sbin/logrotate o {
/var/log/wtmp
/var/log rw
/var/lib/logrotate/status rw
/var/lib/logrotate
/usr/share/zoneinfo/Europe/London r
/tmp rw
/root r
/lib/libpopt.so.0.0.0 rx
/lib/libnss_compat-2.3.1.so rx
/lib/libnsl-2.3.1.so rx
/lib/libc-2.3.1.so rx
/lib/ld-2.3.1.so x
/etc/logrotate.d r
/etc r
/bin/bash x
/bin/gzip xi
/usr/sbin/logrotate x
/ h
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FOWNER
RES_FSIZE 50011 50011
RES_DATA 25440 25440
RES_STACK 17384 17384
RES_RSS 0 0
RES_NPROC 55 55
RES_NOFILE 8 8
RES_MEMLOCK 0 0
RES_AS 1790240 1790240
RES_LOCKS 0 0
connect {
disabled
}
bind {
disabled
}
}
/usr/bin/savelog o {
/
/opt rx
/home rx
/mnt r
/dev
/dev/null rw
/dev/pts rw
/dev/ptmx rw
/dev/tty rw
/dev/console rw
/dev/mem h
/dev/kmem h
/dev/port h
/dev/zero rw
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/etc/init.d h
/etc/shadow- h
/etc/shadow r
/proc rxw
/proc/sys r
/proc/kcore h
/root r
/tmp rw
/var rx
/var/cache rw
/var/spool rw
/var/run rw
/var/tmp rw
/boot r
/etc/grsec h
/var/backups rw
/dev/log rw
/var/log rw
/bin/mv irx
/bin/rm irx
/bin/ln irx
/bin/bash irx
/bin/gzip irx
/usr/bin/touch irx
/bin/chmod irx
/bin/chgrp irx
/bin/chown irx
/usr/bin/basename rx
/bin/cat irx
/sbin/start-stop/daemon irx
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FOWNER
+CAP_CHOWN
+CAP_SYS_ADMIN
+CAP_SYS_RESOURCE
+CAP_IPC_LOCK
-CAP_ALL
}
As I don't get any errors logged I'm a bit lost as to what is causing these tasks to fail, so if anyone has any suggestions I'd be very grateful.