Problem with expired file descriptors? [v2.1.8]
Posted: Sun Feb 12, 2006 6:23 amOn my machine once a week mysqld is restarted by a cronjob. If I want to access mysql the next day this is what happens:
The policy should be ok and worked fine all the days before:
I have noticed this behaviour before with other programs. It mainly happens if logfiles have been rotated. Then access to the newly created logfiles is denied even when explicitly allowed by the policy. Is RBAC working with expired file descriptors? Is this a bug or did I miss something and have to change my configuration?
In any case, after reloading or restarting the RBAC system it works fine again.
Kernel 2.6.14.6 SMP AMD64
grsecurity 2.1.8-2.6.14.6-200601211647
gradm v2.1.8
- Code: Select all
Feb 12 11:01:24 XXX kernel: grsec: From 192.168.0.50: (www-data:U:/usr/sbin/apache2) denied access to hidden file /var/run/mysqld/mysqld.sock by /usr/sbin/apache2[apache2:29296] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache2[apache2:21144] uid/euid:0/0 gid/egid:0/0
Feb 12 11:01:24 XXX kernel: grsec: From 192.168.0.50: (www-data:U:/usr/sbin/apache2) denied open of /var/log/php.log for appending by /usr/sbin/apache2[apache2:29296] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache2[apache2:21144] uid/euid:0/0 gid/egid:0/0
The policy should be ok and worked fine all the days before:
- Code: Select all
role www-data u
...
subject /usr/sbin/apache2 o {
...
/var
/var/run h
/var/run/mysqld/mysqld.sock rw
/var/log
/var/log/php.log a
...
}
I have noticed this behaviour before with other programs. It mainly happens if logfiles have been rotated. Then access to the newly created logfiles is denied even when explicitly allowed by the policy. Is RBAC working with expired file descriptors? Is this a bug or did I miss something and have to change my configuration?
In any case, after reloading or restarting the RBAC system it works fine again.
Kernel 2.6.14.6 SMP AMD64
grsecurity 2.1.8-2.6.14.6-200601211647
gradm v2.1.8