grsecurity forums

Hi all, i've checked the search engine and didn't find similar problem, so i hope it will be a dupe

I have an ACL with sendmail program in
/usr/sbin/sendmail {
/etc/mail rw
/dev/log rw
/sbin/modprobe rx
+CAP_SYS_MODULE
}

i know sendmail is called by logwatch cron.daily service

It seems a have correct entry in acl, however, i get each night :
grsec, use of cap_sys_module denied for (modprobe) parent(sendmail)
grsec denied connect to the unix domain socket /dev/log by (modprobe) parent (sendmail)

I have tried the learning mode on the sendmail entry , but nothing better.

Can someone help me

Thx

Hi!

Try using inheritance for modprobe in your sendmail file:

/sbin/modprobe rxi

in this case, modprobe will run with the permissions of sendmail,
which has CAP_SYS_MODULE and /dev/log rw. Another method
is to create an acl for /sbin/modprobe, and give it the learning mode
flag, and let grsec to create the acl for you.
Hope I could help!

onyx

Oh yes, of course
Thanks a lot,
I've just had a look to the ACL paper, and i wonder why i didn't see this "i" command for binaries...
I'm sure it will work now

thanks again