Hy, I used learning mode to create the following acl ... but when I enable it (just to test su) it gives me:
$ su -
su: must be run from a terminal
Note: In the learn mode I successfully su-ed root
The acl:
role default
subject / {
/ h
-CAP_ALL
connect disabled
bind disabled
}
role admin u
role_allow_ip 10.0.0.1/32
subject / {
/ h
/bin/su x
-CAP_ALL
bind disabled
connect disabled
}
subject /bin/su o {
/ h
/bin h
/bin/su x
/dev h
/dev/log rw
/dev/urandom r
/etc r
/etc/ssh h
/etc/grsec h
/lib rx
/proc h
/proc/1114
/usr h
/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/libgcc_s.so.1 rx
/usr/lib/libcrack.so.2.7 rx
/usr/share/zoneinfo/GMT r
/var h
/var/run/utmp rw
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}
role root uG
role_allow_ip 10.0.0.1/32
subject / {
/ h
/bin h
/bin/bash x
/bin/whoami x
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/proc h
/proc/meminfo r
/sbin h
/sbin/gradm x
/dev
/dev/null w
/dev/tty rw
/dev/urandom r
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/root
/root/.bash_history r
-CAP_ALL
bind disabled
connect disabled
}