allow program to call /sbin/halt
Posted: Fri Nov 06, 2009 8:57 am
Hi!
I want to allow one of my program to call /sbin/halt and shutdown the system under grsec.
program execute halt like:
execl("/sbin/halt", "/sbin/halt", NULL) .
My rules for this application:
subject /opt/sbin/amd64/myprogram o {
<skip some rulles>
/sbin/halt rxt
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_FOWNER
+CAP_FSETID
+CAP_SYS_TIME
+CAP_KILL
+CAP_SYS_PTRACE
}
The rule for halt:
subject /sbin/halt o {
/
/etc h
/etc/ld.so.cache r
/lib rx
/sbin h
/sbin/halt x
/sbin/shutdown x
/var h
/var/log w
/var/run rw
/dev/grsec h
/proc r
/proc/kcore h
/proc/sys h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
+CAP_SYS_BOOT
+CAP_SYS_TTY_CONFIG
}
But still i have the message in log. And program can't call halt :(
Nov 6 15:44:17 kernel: [1216927.621573] grsec: From 192.168.68.172: (root:U:/opt/sbin/amd64/myprogram) denied ptrace of /sbin/halt by /sbin/halt[myprogram:11787] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Any idea about what's wrong?
I want to allow one of my program to call /sbin/halt and shutdown the system under grsec.
program execute halt like:
execl("/sbin/halt", "/sbin/halt", NULL) .
My rules for this application:
subject /opt/sbin/amd64/myprogram o {
<skip some rulles>
/sbin/halt rxt
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_FOWNER
+CAP_FSETID
+CAP_SYS_TIME
+CAP_KILL
+CAP_SYS_PTRACE
}
The rule for halt:
subject /sbin/halt o {
/
/etc h
/etc/ld.so.cache r
/lib rx
/sbin h
/sbin/halt x
/sbin/shutdown x
/var h
/var/log w
/var/run rw
/dev/grsec h
/proc r
/proc/kcore h
/proc/sys h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
+CAP_SYS_BOOT
+CAP_SYS_TTY_CONFIG
}
But still i have the message in log. And program can't call halt :(
Nov 6 15:44:17 kernel: [1216927.621573] grsec: From 192.168.68.172: (root:U:/opt/sbin/amd64/myprogram) denied ptrace of /sbin/halt by /sbin/halt[myprogram:11787] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Any idea about what's wrong?