Selectively overriding "p" subject flag

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Selectively overriding "p" subject flag

Postby tty » Thu Apr 28, 2011 6:58 am

Hello guys,

generally speaking, I want to protect most of the daemons running on a system, from syslog through apache, squid etc., with the p flag, so that it can only be killed with special privileges. However, this presents a serious problem for logrotate post-rotate scripts, which want to HUP (or sometimes outright restart) the logging processes after rotating their logfiles. Grsecurity denies this access, so the processes don't get new file handles and discontinue logging. Obviously, I don't want that, but I still want to protect my processes from casually being signaled. I'd like to exempt specific subjects from the "p" rule, without assigning them to a role with admin privileges. I haven't been able to deduce a method of doing this from the documentation I have found. Is this possible? If not, any chance this could be implemented in a future version? It would seem to me that this is a pretty common use case.

Thanks in advance!
tty
 
Posts: 1
Joined: Thu Apr 28, 2011 6:51 am

Re: Selectively overriding "p" subject flag

Postby spender » Fri Apr 29, 2011 6:07 pm

If you give logrotate the 'k' subject mode, it will be able to kill protected processes.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron