Problem with expired file descriptors? [v2.1.8]

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Problem with expired file descriptors? [v2.1.8]

Postby matty » Sun Feb 12, 2006 6:23 am

On my machine once a week mysqld is restarted by a cronjob. If I want to access mysql the next day this is what happens:

Code: Select all
Feb 12 11:01:24 XXX kernel: grsec: From 192.168.0.50: (www-data:U:/usr/sbin/apache2) denied access to hidden file /var/run/mysqld/mysqld.sock by /usr/sbin/apache2[apache2:29296] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache2[apache2:21144] uid/euid:0/0 gid/egid:0/0
Feb 12 11:01:24 XXX kernel: grsec: From 192.168.0.50: (www-data:U:/usr/sbin/apache2) denied open of /var/log/php.log for appending by /usr/sbin/apache2[apache2:29296] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache2[apache2:21144] uid/euid:0/0 gid/egid:0/0


The policy should be ok and worked fine all the days before:

Code: Select all
role www-data u
...
subject /usr/sbin/apache2 o {
...
        /var
        /var/run                        h
        /var/run/mysqld/mysqld.sock     rw
        /var/log
        /var/log/php.log                a
...
}


I have noticed this behaviour before with other programs. It mainly happens if logfiles have been rotated. Then access to the newly created logfiles is denied even when explicitly allowed by the policy. Is RBAC working with expired file descriptors? Is this a bug or did I miss something and have to change my configuration?
In any case, after reloading or restarting the RBAC system it works fine again.

Kernel 2.6.14.6 SMP AMD64
grsecurity 2.1.8-2.6.14.6-200601211647
gradm v2.1.8
matty
 
Posts: 5
Joined: Tue Feb 07, 2006 3:19 pm

Postby bplant » Sun Feb 12, 2006 5:39 pm

Hi Matty,

This sounds exactly like the problem that I've been having ever since I upgraded to 2.1.8:

http://forums.grsecurity.net/viewtopic.php?t=1402

I first discovered it when syslog removed and recreated /dev/log, but have since found the problem in a number of other cases.

Spender has been trying to debug the issue. He had hoped that the latest patch in http://www.grsecurity.net/~spender would resolve the issue, but unfortunately it didn't do the trick. I am running a 2.4 kernel, so perhaps you could try the test patch for the 2.6 kernel since you're running that.

Cheers,

Brad
bplant
 
Posts: 73
Joined: Sat May 28, 2005 10:36 pm

Postby spender » Sun Feb 12, 2006 10:16 pm

I've posted new patches in ~spender that should resolve the problem.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby matty » Sun Feb 19, 2006 1:30 pm

Hello Brad and Brad,

installed 2.1.8-2.6.14.7-200602122111 a few days ago and it looks good so far. Thanks for the fix!
matty
 
Posts: 5
Joined: Tue Feb 07, 2006 3:19 pm


Return to RBAC policy development

cron