I use default policy from gradm2
and acl:
role default
subject / {
/ h
/dev
/dev/log rw
/usr/bin/logger x
/lib x
/usr/bin x
/bin x
/sbin x
-CAP_ALL
connect disabled
bind disabled
}
role root ugG
role_allow_ip 0.0.0.0/32
subject / {
/ h
/dev h
/dev/log rw
/dev/initctl
/proc rh
/var rw
/bin x
/root
/sbin x
/usr x
/usr/bin/logger x
/usr/lib x
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/bin/logger {
/dev h
/dev/log rw
}
subject /bin/bash {
/dev h
/dev/log rw
}
run logger
$logger test
Mar 9 20:50:42 mus kernel: grsec: (default:D:/) denied connect() to the unix domain socket /dev/log by /usr/bin/logger[logger:23881] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23704] uid/euid:0/0 gid/egid:0/0
Please correct me.
simple acl
5 posts
• Page 1 of 1
Re: simple acl
by onyx » Thu Mar 10, 2005 6:38 am
]lexa wrote:I use default policy from gradm2
and acl:
[...]
role root ugG
role_allow_ip 0.0.0.0/32
subject / {
/ h
/dev h
/dev/log rw
/dev/initctl
/proc rh
/var rw
/bin x
/root
/sbin x
/usr x
/usr/bin/logger x
/usr/lib x
-CAP_ALL
bind disabled
connect disabled
}
subject /usr/bin/logger {
/dev h
/dev/log rw
}
run logger
$logger test
Mar 9 20:50:42 mus kernel: grsec: (default:D:/) denied connect() to the unix domain socket /dev/log by /usr/bin/logger[logger:23881] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23704] uid/euid:0/0 gid/egid:0/0
Please correct me.
Are you running logger as root? Because the subject for logger is under role root, so if you run it as another user, the default role will apply to you.
- onyx
- Posts: 36
- Joined: Tue Jan 20, 2004 7:46 pm
by onyx » Thu Mar 10, 2005 7:15 pm
lexa wrote:>Are you running logger as root? Because the subject for logger is under role >root, so if you run it as another user, the default role will apply to you.
Yes. course.
default role also hade /dev/log rw
under role root:
role_allow_ip 0.0.0.0/32
you should try adding your own ip there
- onyx
- Posts: 36
- Joined: Tue Jan 20, 2004 7:46 pm
5 posts
• Page 1 of 1