Process mysteriously enters default role
Posted: Wed Feb 11, 2015 8:04 am
I have created a (seemingly) working policy for an apache web server (see below). In this policy the default role is not used. At first, everything worked fine. But after a while I find the following log messages
So /usr/sbin/apache2 entered the default role - but why?! The policy (the result of the learner with some tuning) is
What went wrong?
- Code: Select all
Feb 11 12:51:19 andustar kernel: grsec: From 127.0.0.6: (default:D:/) denied access to hidden file /var by /usr/sbin/apache2[apache2:4761] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:16060] uid/euid:0/0 gid/egid:0/0
Feb 11 12:51:19 andustar kernel: grsec: From 127.0.0.6: (default:D:/) denied access to hidden file /var/www/andustar/favicon.ico by /usr/sbin/apache2[apache2:4761] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:16060] uid/euid:0/0 gid/egid:0/0
Feb 11 12:51:19 andustar kernel: grsec: From 127.0.0.6: (default:D:/) denied access to hidden file /var by /usr/sbin/apache2[apache2:4761] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:16060] uid/euid:0/0 gid/egid:0/0
Feb 11 12:51:19 andustar kernel: grsec: From 127.0.0.6: (default:D:/) denied access to hidden file /var/www/andustar/favicon.ico by /usr/sbin/apache2[apache2:4761] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:16060] uid/euid:0/0 gid/egid:0/0
Feb 11 12:51:19 andustar kernel: grsec: From 127.0.0.6: (default:D:/) denied access to hidden file /var by /usr/sbin/apache2[apache2:4761] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:16060] uid/euid:0/0 gid/egid:0/0
So /usr/sbin/apache2 entered the default role - but why?! The policy (the result of the learner with some tuning) is
- Code: Select all
# role root
subject /usr/sbin/apache2 o {
user_transition_allow apache
group_transition_allow apache
/ h
/dev h
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/shadow h
/etc/shadow- h
/etc/ssh h
/proc h
/proc/sys/kernel/ngroups_max r
/run
/run/apache2.pid w
/usr h
/usr/lib/apache2
/usr/lib/apache2/modules rx
/usr/lib/libcrypto.so.1.0.0 rx
/usr/lib/libssl.so.1.0.0 rx
/var h
/var/log/apache2 a
/var/www
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
bind 0.0.0.0/32:0 dgram ip
connect 127.0.0.1/32:0 dgram udp
sock_allow_family ipv6 netlink
}
...
role apache u
role_allow_ip 0.0.0.0/32
subject / {
/ h
/etc/localtime r
/var
/var/log h
/var/www r
-CAP_ALL
bind disabled
connect disabled
}
What went wrong?