grsecurity forums

Using 2.4.25, gradm-1.14

After adding a learning mode ACL for qmail-local I'm getting this message on gradm -R:

Warning: write access is allowed to your subject ACL for /var/qmail/bin/qmail-local. Please ensure that the subject is running with less privilege than the default ACL.

My ACL looks like

Code: Select all

/var/qmail/bin/qmail-local lo {
        / h
        -CAP_ALL
        RES_FSIZE 0 0
        RES_DATA 0 0
        RES_RSS 0 0
        RES_NOFILE 0 0
        RES_MEMLOCK 0 0
        RES_STACK 0 0
        RES_AS 0 0
        RES_NPROC 0 0
        RES_LOCKS 0 0

        connect {
                disabled
        }
        bind {
                disabled
        }
}


This was a copy/paste job of what I typically use for learning mode, so I'm really confused as to why I'm getting this message all of a sudden. It's probably something simple but I've stared at it for a while and I don't see anything wrong. Also, I don't see anything in the doc about write access for subject modes, only for object modes, which makes the error message even more confusing.

What should I look at to fix this?

It's telling you that because your default subject ( the / one) allows write access to /var/qmail/bin/qmail-local

you probably have a /var rw rule or something in your default subject.
adding the rule:

/var/qmail/bin rx

to the default subject will fix that error.

Oh sure, when you put it that way it sounds so obvious

That fixed it f course, thanks!