ACL problem....confused...

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

ACL problem....confused...

Postby kolargol » Thu Sep 23, 2004 5:23 am

Hello,

i have strange filling that when i enable RBAC (gradm -E) it don't read or ignore some entries in /etc/grsec/acl, look:

syslog:
Code: Select all
grsec: From X.X.X.X: (default:D:/) use of CAP_SYS_CHROOT denied for /usr/sbin/popa3d[popa3d:25227] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/popa3d[popa3d:17434] uid/euid:0/0 gid/egid:0/0


but in ACL there is:

Code: Select all
subject /usr/sbin/popa3d o {
    /               h
    /dev                h
    /dev/log            rw
    /etc                h
    /etc/ld.so.cache        r
    /etc/pam.d          r
    /etc/passwd         r
    /etc/shadow         r
    /lib                h
    /lib/libcrypt-2.3.2.so      rx
    /lib/security/pam_unix.so   rx
    /usr                h
    /usr/share/zoneinfo/Europe/Warsaw   r
    /var                h
    /var/lib/popa3d
    -CAP_ALL
    +CAP_SETGID
    +CAP_SETUID
    +CAP_SYS_CHROOT
    bind    disabled
    connect disabled
}



any help on that? - why it doesn't agree witch +CAP_SYS_CHROOT ?
kolargol
 
Posts: 36
Joined: Thu Sep 23, 2004 5:19 am

Postby spender » Thu Sep 23, 2004 10:39 am

In 2.0.1, the file is /etc/grsec/policy.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support