Hi all, i've checked the search engine and didn't find similar problem, so i hope it will be a dupe
I have an ACL with sendmail program in
/usr/sbin/sendmail {
/etc/mail rw
/dev/log rw
/sbin/modprobe rx
+CAP_SYS_MODULE
}
i know sendmail is called by logwatch cron.daily service
It seems a have correct entry in acl, however, i get each night :
grsec, use of cap_sys_module denied for (modprobe) parent(sendmail)
grsec denied connect to the unix domain socket /dev/log by (modprobe) parent (sendmail)
I have tried the learning mode on the sendmail entry , but nothing better.
Can someone help me
Thx
Sendmail problem in ACL
3 posts
• Page 1 of 1
Sendmail problem in ACL
by muaddib » Fri Jan 30, 2004 12:09 pm
- muaddib
- Posts: 11
- Joined: Fri Jan 30, 2004 11:59 am
by onyx » Mon Feb 02, 2004 6:34 am
Hi!
Try using inheritance for modprobe in your sendmail file:
/sbin/modprobe rxi
in this case, modprobe will run with the permissions of sendmail,
which has CAP_SYS_MODULE and /dev/log rw. Another method
is to create an acl for /sbin/modprobe, and give it the learning mode
flag, and let grsec to create the acl for you.
Hope I could help!
onyx
Try using inheritance for modprobe in your sendmail file:
/sbin/modprobe rxi
in this case, modprobe will run with the permissions of sendmail,
which has CAP_SYS_MODULE and /dev/log rw. Another method
is to create an acl for /sbin/modprobe, and give it the learning mode
flag, and let grsec to create the acl for you.
Hope I could help!
onyx
- onyx
- Posts: 36
- Joined: Tue Jan 20, 2004 7:46 pm
3 posts
• Page 1 of 1