Page 1 of 1


PostPosted: Wed Mar 02, 2005 10:18 pm
by campbellm

I'm attempting the impossible by trying to secure a cPanel box with ACLs manually, and keep running into this problem:

grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/local/cpanel/bin/cppop[cppop:1342] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

I have allowed the binary (/usr/local/cpanel/bin/cppop) access to the CAP_NET_BIND_SERVICE with the following ACL:

subject /usr/local/cpanel/bin/cppop o
/ h
/dev/log rw
/dev/console rw
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow* h
/etc/lilo.conf h
/lib rx
/proc h
/usr h
/usr/lib rx
/usr/sbin h
/usr/local/cpanel rx
/var/log rw

Yet it keeps falling back to the 'default' role. Any ideas what I am doing wrong here?



PostPosted: Thu Mar 03, 2005 2:47 pm
by spender
I'd have to see your entire policy to determine what the problem is, since just having the subject in the policy does not mean it'll work if it's put in the wrong place (such as under the role for admin, instead of under the default role)