problem with CAP_NET_BIND_SERVICE

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

problem with CAP_NET_BIND_SERVICE

Postby campbellm » Wed Mar 02, 2005 10:18 pm

Hi,

I'm attempting the impossible by trying to secure a cPanel box with ACLs manually, and keep running into this problem:

grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/local/cpanel/bin/cppop[cppop:1342] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

I have allowed the binary (/usr/local/cpanel/bin/cppop) access to the CAP_NET_BIND_SERVICE with the following ACL:

subject /usr/local/cpanel/bin/cppop o
/ h
/dev/log rw
/dev/console rw
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow* h
/etc/lilo.conf h
/lib rx
/proc h
/usr h
/usr/lib rx
/usr/sbin h
/usr/local/cpanel rx
/var/log rw
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_NET_BIND_SERVICE
+CAP_SETGID
+CAP_SETUID

Yet it keeps falling back to the 'default' role. Any ideas what I am doing wrong here?

cheers,

Campbell
campbellm
 
Posts: 2
Joined: Tue Feb 22, 2005 1:10 am

Postby spender » Thu Mar 03, 2005 2:47 pm

I'd have to see your entire policy to determine what the problem is, since just having the subject in the policy does not mean it'll work if it's put in the wrong place (such as under the role for admin, instead of under the default role)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron