Page 1 of 1

Problem with expired file descriptors? [v2.1.8]

PostPosted: Sun Feb 12, 2006 6:23 am
by matty
On my machine once a week mysqld is restarted by a cronjob. If I want to access mysql the next day this is what happens:

Code: Select all
Feb 12 11:01:24 XXX kernel: grsec: From 192.168.0.50: (www-data:U:/usr/sbin/apache2) denied access to hidden file /var/run/mysqld/mysqld.sock by /usr/sbin/apache2[apache2:29296] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache2[apache2:21144] uid/euid:0/0 gid/egid:0/0
Feb 12 11:01:24 XXX kernel: grsec: From 192.168.0.50: (www-data:U:/usr/sbin/apache2) denied open of /var/log/php.log for appending by /usr/sbin/apache2[apache2:29296] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache2[apache2:21144] uid/euid:0/0 gid/egid:0/0


The policy should be ok and worked fine all the days before:

Code: Select all
role www-data u
...
subject /usr/sbin/apache2 o {
...
        /var
        /var/run                        h
        /var/run/mysqld/mysqld.sock     rw
        /var/log
        /var/log/php.log                a
...
}


I have noticed this behaviour before with other programs. It mainly happens if logfiles have been rotated. Then access to the newly created logfiles is denied even when explicitly allowed by the policy. Is RBAC working with expired file descriptors? Is this a bug or did I miss something and have to change my configuration?
In any case, after reloading or restarting the RBAC system it works fine again.

Kernel 2.6.14.6 SMP AMD64
grsecurity 2.1.8-2.6.14.6-200601211647
gradm v2.1.8

PostPosted: Sun Feb 12, 2006 5:39 pm
by bplant
Hi Matty,

This sounds exactly like the problem that I've been having ever since I upgraded to 2.1.8:

http://forums.grsecurity.net/viewtopic.php?t=1402

I first discovered it when syslog removed and recreated /dev/log, but have since found the problem in a number of other cases.

Spender has been trying to debug the issue. He had hoped that the latest patch in http://www.grsecurity.net/~spender would resolve the issue, but unfortunately it didn't do the trick. I am running a 2.4 kernel, so perhaps you could try the test patch for the 2.6 kernel since you're running that.

Cheers,

Brad

PostPosted: Sun Feb 12, 2006 10:16 pm
by spender
I've posted new patches in ~spender that should resolve the problem.

-Brad

PostPosted: Sun Feb 19, 2006 1:30 pm
by matty
Hello Brad and Brad,

installed 2.1.8-2.6.14.7-200602122111 a few days ago and it looks good so far. Thanks for the fix!