grsecurity forums

Hello,

i have strange filling that when i enable RBAC (gradm -E) it don't read or ignore some entries in /etc/grsec/acl, look:

syslog:

Code: Select all

grsec: From X.X.X.X: (default:D:/) use of CAP_SYS_CHROOT denied for /usr/sbin/popa3d[popa3d:25227] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/popa3d[popa3d:17434] uid/euid:0/0 gid/egid:0/0


but in ACL there is:

Code: Select all

subject /usr/sbin/popa3d o {
    /               h
    /dev                h
    /dev/log            rw
    /etc                h
    /etc/ld.so.cache        r
    /etc/pam.d          r
    /etc/passwd         r
    /etc/shadow         r
    /lib                h
    /lib/libcrypt-2.3.2.so      rx
    /lib/security/pam_unix.so   rx
    /usr                h
    /usr/share/zoneinfo/Europe/Warsaw   r
    /var                h
    /var/lib/popa3d
    -CAP_ALL
    +CAP_SETGID
    +CAP_SETUID
    +CAP_SYS_CHROOT
    bind    disabled
    connect disabled
}


any help on that? - why it doesn't agree witch +CAP_SYS_CHROOT ?

In 2.0.1, the file is /etc/grsec/policy.

-Brad