grsecurity forums

Skip to content

grsecurity,apache and __connect__?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

grsecurity,apache and __connect__?

Postby `VL » Tue Dec 12, 2006 8:02 am

i`m setting up grsecurity acls for apache webserver and have such message in logs:

Code: Select all
.../usr/sbin/apache2 denied connect() to 0.0.0.0 port 443 stream tcp ...


The question is: why apache needs to __connect__ ? As i understand, bind should be enough.

Adding connect part to ACL removes problem, but i want to know what is happening.

i asked apache people and they claim that apache doesn`t do connect(). I`ve straced apache process and only thing i found was:
24414 connect(5, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)


what do you think about all this ?
`VL
 
Posts: 28
Joined: Wed Feb 23, 2005 2:11 pm
Top

Postby spender » Tue Dec 12, 2006 7:34 pm

What version of grsecurity are you running (including patch date) and what kernel version?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby `VL » Wed Dec 13, 2006 3:22 am

system is gentoo hardened,

kernel is hardened-sources-2.4.32-r7
grsecurity is 3100_grsecurity-2.1.8-2.4.32-200601211647.patch (from gentoo patches to kernel)
gradm is 2.1.8
`VL
 
Posts: 28
Joined: Wed Feb 23, 2005 2:11 pm
Top

Postby spender » Fri Dec 15, 2006 5:24 pm

Maybe the gentoo-modified patch is incorrect. From the code, I don't see any reason why a vanilla kernel with the grsecurity patch from the website would have this problem.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby `VL » Fri Dec 22, 2006 6:36 am

upgraded to gentoo-hardened 2.4.33.4 with grsecurity-2.1.9-2.4.33.4-200611282125.patch

everything is ok.
`VL
 
Posts: 28
Joined: Wed Feb 23, 2005 2:11 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group
cron