Here is the log output:
- Code: Select all
grsec: use of CAP_SYS_ADMIN denied for (klogd:2561) UID(0) EUID(0), parent (init:1) UID(0) EUID(0)
grsec: use of CAP_SYS_TTY_CONFIG denied for (rm:17578) UID(0) EUID(0), parent (K40sysklogd:18746) UID(0) EUID(0)
grsec: use of CAP_SYS_TTY_CONFIG denied for (rm:12883) UID(0) EUID(0), parent (K40sysklogd:18746) UID(0) EUID(0)
grsec: use of CAP_SYS_TTY_CONFIG denied for (K55setclock:15191) UID(0) EUID(0), parent (rc:19502) UID(0) EUID(0)
grsec: use of CAP_SYS_TTY_CONFIG denied for (stty:18676) UID(0) EUID(0), parent (K55setclock:17852) UID(0) EUID(0)
grsec: more denied capabilities, logging disabled for 30 seconds
Also, lvm won't shut down, hwclock fails (saying it can't read /dev/rtc), ifconfig can't shut down my interfaces etc.
I think I had the klogd error already in 1.9.7d (klogd have a separate acl granting it CAP_SYS_ADMIN).
/bin/umount x
might be part of the problem (unless you have a /bin/umount ACL which grants it among other things CAP_SYS_ADMIN, which I would advise against)
I do have an acl for /bin/umount (need access to cd-roms).
I had tried configuring my box so that it would reboot or shutdown with grsec running but had a massive amount of headaches getting the processes their proper access. It was a much easier solution to make sure I set /sbin/reboot and /sbin/halt hidden and whenever I want to reboot or shut down I'll just do a -a and then a -D.
I have considered this, but I want ctrl-alt-del to work, and since I have had it working before it seems odd it shouldn't work now (since my other acls are fine).
The only thing that may differ between my system and others is that I have a lvm (Linux Volume Manager) root partition and therefore boot my system with an initrd script. Though I don't see how that correlate to my problems, also since it works if I do gradm -R before I reboot.
