I need to fix RBAC policy for maildrop

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

I need to fix RBAC policy for maildrop

Postby timbgo » Thu Aug 27, 2015 11:08 am

I'm writing this here and posting it with some urgency, because I expect people will need this explanation.

Here, in the first place, shines so well the grsecurity logging, which is enabled during kernel compile time (you probably all know that much: after patching the kernel, go 'make menuconfig' and all). and which is tuneable (until the issuing of:
Code: Select all
echo 1 > /proc/sys/kernel/grsecurity/grsec_lock

when the settings are to your liking...

People will be visiting here, because I promised this post on:

[maildropl] New releases of courier packages.
http://sourceforge.net/p/courier/mailma ... /34410651/

and on:

2yrs old maildrop still in portage, OK?
https://forums.gentoo.org/viewtopic-t-1 ... ml#7805476

So, what I have prepared for posting so far (and I'm not changing it, I'm not ashamed of thinking and going wrong sometimes, esp. when I correct it with this much work as here, and figure things out)...

So, what I have prepared, so far, is in the first next post.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: I need to fix RBAC policy for maildrop

Postby timbgo » Thu Aug 27, 2015 11:18 am

Pls. read the first post (and the links therein), to see what this is about. Esp. don't take some of the statement as my current opinion. This was written before I figured out what the matter was. And I only was able to discover it because of the great logging the grsec provides, as I explained in the previous post.
---
Leaving only three lines of the vim commands exec_logging's entries.
Code: Select all
Aug 27 09:21:20 g0n kernel: [ 4339.845353] grsec: (miro:U:/usr/bin/vim) chdir to /home/miro by /usr/bin/vim[vi:5549] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:5516] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:21:20 g0n kernel: [ 4339.845363] grsec: (miro:U:/usr/bin/vim) chdir to /usr/share/vim/vim74/syntax by /usr/bin/vim[vi:5549] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:5516] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:21:20 g0n kernel: [ 4339.845371] grsec: (miro:U:/usr/bin/vim) chdir to /home/miro by /usr/bin/vim[vi:5549] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:5516] uid/euid:1000/1000 gid/egid:1000/1000

Here, sure, a ligitimate use of sendmail (fine Postfix program's sendmail):
Code: Select all
Aug 27 09:21:42 g0n kernel: [ 4361.551994] grsec: (miro:U:/usr/sbin/sendmail) exec of /usr/sbin/sendmail (sendmail -oem -oi -f miro.rovis@croatiafidelis.hr -- mailman-request@wireshark.org ) by /usr/sbin/sendmail[mutt:5551] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:5550] uid/euid:1000/1000 gid/egid:1000/1000

As you can see, that's me sending mail to wireshark.org. In this case I was Requesting help, so I could subscribe via email. Which I did, I subscribeed, later, But I still didn't get the welcome message, whatever the reason (mind that various are the places that could have stumbled upon, a little more time, and we should know where and what; maybe something trivial, such as admin having not yet found time...).
Code: Select all
Still at sendmail, the legitimate instance:
[code]
Aug 27 09:21:42 g0n kernel: [ 4361.558819] grsec: (miro:U:/usr/sbin/sendmail) chdir to /var/spool/postfix by /usr/sbin/sendmail[sendmail:5551] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mutt[mutt:5550] uid/euid:1000/1000 gid/egid:1000/1000
[/code]
And now goes a plethora of detailed messages, which we will not be interested so much in, as all went fine.
[code]
Aug 27 09:21:42 g0n kernel: [ 4361.559621] grsec: (miro:U:/usr/sbin/postdrop) exec of /usr/sbin/postdrop (/usr/sbin/postdrop -r ) by /usr/sbin/postdrop[sendmail:5554] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/sbin/sendmail[sendmail:5551] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:21:42 g0n kernel: [ 4361.565553] grsec: (miro:U:/usr/sbin/postdrop) chdir to /var/spool/postfix by /usr/sbin/postdrop[postdrop:5554] uid/euid:1000/1000 gid/egid:1000/208, parent /usr/sbin/sendmail[sendmail:5551] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:21:42 g0n kernel: [ 4361.601247] grsec: (admin:S:/) exec of /usr/libexec/postfix/cleanup (cleanup -z -t unix -u ) by /usr/libexec/postfix/cleanup[master:5555] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:5296] uid/euid:0/0 gid/egid:0/0
Aug 27 09:21:42 g0n postfix/pickup[5297]: 9E95A380067: uid=1000 from=<miro.rovis@croatiafidelis.hr>
Aug 27 09:21:42 g0n postfix/smtp[5557]: xsasl_cyrus_client_first: uncoded initial reply: \000miro.rovis@croatiafidelis.hr\000U$^4$3su74\302\2430~
[/code]
108 lines cut out.
[code]
Aug 27 09:21:42 g0n postfix/smtp[5557]: > 178.218.164.164[178.218.164.164]:587: AUTH PLAIN AG1pcm8ucm92aXNAY3JvYXRpYWZpZGVsaXMuaHIAVSReNCQzc3U3NMKjMH4=
Aug 27 09:21:42 g0n postfix/smtp[5557]: < 178.218.164.164[178.218.164.164]:587: 235 Authentication succeeded
Aug 27 09:21:42 g0n postfix/smtp[5557]: smtp_stream_setup: maxtime=300 enable_deadline=0
Aug 27 09:21:42 g0n postfix/smtp[5557]: > 178.218.164.164[178.218.164.164]:587: MAIL FROM:<miro.rovis@croatiafidelis.hr> SIZE=438
Aug 27 09:21:42 g0n postfix/smtp[5557]: > 178.218.164.164[178.218.164.164]:587: RCPT TO:<mailman-request@wireshark.org>
Aug 27 09:21:42 g0n postfix/smtp[5557]: > 178.218.164.164[178.218.164.164]:587: DATA
Aug 27 09:21:42 g0n postfix/smtp[5557]: smtp_stream_setup: maxtime=300 enable_deadline=0
Aug 27 09:21:43 g0n postfix/smtp[5557]: < 178.218.164.164[178.218.164.164]:587: 250 OK
Aug 27 09:21:43 g0n postfix/smtp[5557]: smtp_stream_setup: maxtime=300 enable_deadline=0
Aug 27 09:21:43 g0n postfix/smtp[5557]: < 178.218.164.164[178.218.164.164]:587: 250 Accepted
Aug 27 09:21:43 g0n postfix/smtp[5557]: smtp_stream_setup: maxtime=120 enable_deadline=0
Aug 27 09:21:43 g0n postfix/smtp[5557]: < 178.218.164.164[178.218.164.164]:587: 354 Enter message, ending with "." on a line by itself
Aug 27 09:21:43 g0n postfix/smtp[5557]: smtp_stream_setup: maxtime=180 enable_deadline=0
Aug 27 09:21:43 g0n postfix/smtp[5557]: > 178.218.164.164[178.218.164.164]:587: .
Aug 27 09:21:43 g0n postfix/smtp[5557]: > 178.218.164.164[178.218.164.164]:587: QUIT
Aug 27 09:21:43 g0n postfix/smtp[5557]: smtp_stream_setup: maxtime=600 enable_deadline=0
Aug 27 09:21:43 g0n postfix/smtp[5557]: < 178.218.164.164[178.218.164.164]:587: 250 OK id=1ZUrTo-0005B3-Tb
Aug 27 09:21:43 g0n postfix/smtp[5557]: 9E95A380067: to=<mailman-request@wireshark.org>, relay=178.218.164.164[178.218.164.164]:587, delay=0.44, delays=0.1/0.02/0.28/0.05, dsn=2.0.0, status=sent (250 OK id=1ZUrTo-0005B3-Tb)
Aug 27 09:21:43 g0n postfix/smtp[5557]: name_mask: resource
Aug 27 09:21:43 g0n postfix/smtp[5557]: name_mask: software
Aug 27 09:21:43 g0n postfix/smtp[5557]: disposing SASL state information
Aug 27 09:21:43 g0n postfix/qmgr[5298]: 9E95A380067: removed
[/code]
So the e-mail was regularly sent.

This is another line from my current domain and site, and mail hub, of my NGO Croatia Fidelis, my hoster, the Plus.hr:
[code]
Aug 27 09:21:43 g0n kernel: [ 4362.024657] mrfw_dropIN=eth1 OUT= MAC=00:0e:2e:a7:7c:55:2c:95:7f:14:4e:c6:08:00 SRC=178.218.164.164 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=TCP SPT=587 DPT=42900 WINDOW=0 RES=0x00 RST URGP=0
[/code]
And I don't know (yet) why it was dropped. I have pretty carefully set my iptables, and this should be for a reason. Later, if I do iovestigate about it.

And here soon goes the (I'd think): revealed tiny attempted intrusion. Revealed thanks to my Gentoo grsec-hardened kernel, and my painstaking work to set the RBAC policies on it. Soon. Pretty soon... It takes me so much longer to work through my logs and my accompanying [url=https://github.com/miroR/uncenz]by uncenz program taken traffic and screencasts[/url] which I might find time, and I might not this is a huge effort already greater than my available time, to also publish the corresponding sections to this log...

So soon, in the standard output of the getmail command which is next, there will be a foiled (IIUC) intrusion attempt:
[code]
Aug 27 09:22:01 g0n kernel: [ 4380.899811] grsec: (miro:U:/) exec of /usr/lib64/python-exec/python-exec2 (getmail --fingerprint -r config/mirorovis@croatiafidelishr ) by /usr/lib64/python-exec/python-exec2[bash:5559] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:01 g0n kernel: [ 4380.902079] grsec: (miro:U:/usr/lib64/python-exec/python2.7/getmail) exec of /usr/lib64/python-exec/python2.7/getmail (/usr/bin/getmail --fingerprint -r config/mirorovis@croatiafidelishr ) by /usr/lib64/python-exec/python2.7/getmail[getmail:5559] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:01 g0n kernel: [ 4380.902367] grsec: (miro:U:/) exec of /bin/date (date +%y%m%d_%H%M%S ) by /bin/date[bash:5561] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5560] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:01 g0n kernel: [ 4380.904978] grsec: (miro:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[bash:5564] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5560] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:01 g0n kernel: [ 4380.908089] grsec: (miro:U:/usr/bin/tee) exec of /usr/bin/tee (tee .getmail/log/getmail_150827_092201_g0n.log ) by /usr/bin/tee[bash:5560] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:02 g0n kernel: [ 4380.972664] grsec: (miro:U:/usr/lib64/python-exec/python2.7/getmail) denied connect() to 127.0.0.1 port 0 sock type dgram protocol udp by /usr/lib64/python-exec/python2.7/getmail[getmail:5559] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:02 g0n kernel: [ 4380.972679] grsec: (miro:U:/usr/lib64/python-exec/python2.7/getmail) denied connect() to 192.168.3.4 port 0 sock type dgram protocol udp by /usr/lib64/python-exec/python2.7/getmail[getmail:5559] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:02 g0n kernel: [ 4380.972939] grsec: (miro:U:/usr/lib64/python-exec/python2.7/getmail) denied connect() to 127.0.0.1 port 0 sock type dgram protocol udp by /usr/lib64/python-exec/python2.7/getmail[getmail:5559] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:02 g0n kernel: [ 4380.972948] grsec: (miro:U:/usr/lib64/python-exec/python2.7/getmail) denied connect() to 192.168.3.4 port 0 sock type dgram protocol udp by /usr/lib64/python-exec/python2.7/getmail[getmail:5559] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
[/code]
No, this is not yet it. I can see in my Screen_150827_0855_g0n.mkv (and sure the dump_150827_0855_g0n.pcap will confirm, by the way, lest I not be accused of inventing:
d41aa17f8129b5dcbbefac0b854a08bba7708f44f14f96bc7e9f3be7ab7687bf  dump_150827_0855_g0n.pcap
9c075385b2e9d43ebaf419cec7f57f8f49741cb60115251ea20fa03037723134  Screen_150827_0855_g0n_HERE.mkv
544b93366e9236a619794b78454e744b6a0e738092b286be4bddf5527fa9781d  Screen_150827_0855_g0n.mkv
where the one with the infix HERE is the crux-of-the-matter section, the other Scree_ and the dump_ are complete --but the complete Screen_..., I wouldn't currently have where to post it: too big.
)
That one above was because I didn't type the password in correctly ;-) .

This getmail execution is the one:
[code]
Aug 27 09:22:02 g0n kernel: [ 4380.973089] grsec: more alerts, logging disabled for 10 seconds
Aug 27 09:22:19 g0n kernel: [ 4397.975307] grsec: (miro:U:/) exec of /usr/lib64/python-exec/python-exec2 (getmail --fingerprint -r config/mirorovis@croatiafidelishr ) by /usr/lib64/python-exec/python-exec2[bash:5566] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:19 g0n kernel: [ 4397.976729] grsec: (miro:U:/) exec of /bin/date (date +%y%m%d_%H%M%S ) by /bin/date[bash:5568] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5567] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:19 g0n kernel: [ 4397.977799] grsec: (miro:U:/usr/lib64/python-exec/python2.7/getmail) exec of /usr/lib64/python-exec/python2.7/getmail (/usr/bin/getmail --fingerprint -r config/mirorovis@croatiafidelishr ) by /usr/lib64/python-exec/python2.7/getmail[getmail:5566] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:19 g0n kernel: [ 4397.980841] grsec: (miro:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[bash:5570] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5567] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:19 g0n kernel: [ 4397.991701] grsec: (miro:U:/usr/bin/tee) exec of /usr/bin/tee (tee .getmail/log/getmail_150827_092218_g0n.log ) by /usr/bin/tee[bash:5567] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
[/code]
The above is the commands logged (thanks to the exec_logging functionality of grsec) executed with the command lines, as you (I will, I decide now, I will post those dump_ and Scree_...HERE, as I hope it will help newbies to understand --I'm always about getting really good things to people and about freedom)

And I wonder why I have maildrop trying to connect where I don't remember setting it to connect to: 127.0.0.1 and 192.168.3.4, the second being the [url=https://forums.gentoo.org/viewtopic-t-999436.html]not-used SOHO by this online-only clone of same hardware only-SOHO master box[/url], but it is, this part, likely innocuos:
[code]
Aug 27 09:22:19 g0n kernel: [ 4398.049173] grsec: (miro:U:/usr/lib64/python-exec/python2.7/getmail) denied connect() to 127.0.0.1 port 0 sock type dgram protocol udp by /usr/lib64/python-exec/python2.7/getmail[getmail:5566] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:19 g0n kernel: [ 4398.049185] grsec: (miro:U:/usr/lib64/python-exec/python2.7/getmail) denied connect() to 192.168.3.4 port 0 sock type dgram protocol udp by /usr/lib64/python-exec/python2.7/getmail[getmail:5566] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:19 g0n kernel: [ 4398.049426] grsec: (miro:U:/usr/lib64/python-exec/python2.7/getmail) denied connect() to 127.0.0.1 port 0 sock type dgram protocol udp by /usr/lib64/python-exec/python2.7/getmail[getmail:5566] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:19 g0n kernel: [ 4398.049436] grsec: (miro:U:/usr/lib64/python-exec/python2.7/getmail) denied connect() to 192.168.3.4 port 0 sock type dgram protocol udp by /usr/lib64/python-exec/python2.7/getmail[getmail:5566] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31231] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:19 g0n kernel: [ 4398.049575] grsec: more alerts, logging disabled for 10 seconds
[/code]

Here's the actual work of the maildrop to which the mail was handed over to by getmail for which the command was issued further above.
[code]
Aug 27 09:22:31 g0n kernel: [ 4410.036436] grsec: (miro:U:/usr/bin/maildrop) exec of /usr/bin/maildrop (/usr/bin/maildrop ) by /usr/bin/maildrop[getmail:5573] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/python-exec/python2.7/getmail[getmail:5566] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.043852] grsec: (miro:U:/usr/bin/maildrop) chdir to /home/miro by /usr/bin/maildrop[maildrop:5573] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/python-exec/python2.7/getmail[getmail:5566] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.044841] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c test -d $DEFAULT ) by /bin/bash[maildrop:5577] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5573] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.047697] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c reformail -u'X-getmail-retrieved-from-mailbox: .*' ) by /bin/bash[maildrop:5578] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5573] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.049239] grsec: (miro:U:/) exec of /usr/bin/reformail (reformail -uX-getmail-retrieved-from-mailbox: .* ) by /usr/bin/reformail[bash:5578] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5573] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.052270] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c ${REFORMAIL} -D 524288 $HOME/.duplicate.cache ) by /bin/bash[maildrop:5579] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5573] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.054263] grsec: (miro:U:/) exec of /usr/bin/reformail (/usr/bin/reformail -D 524288 /home/miro/.duplicate.cache ) by /usr/bin/reformail[bash:5579] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5573] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.059623] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c echo $MYFOLDERDOT|sed 's/\.//g' ) by /bin/bash[maildrop:5580] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5573] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.061999] grsec: (miro:U:/) exec of /bin/sed (sed s/\.//g ) by /bin/sed[bash:5582] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5580] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.064255] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c test -d ${FOLDERS}$F2MKlevel1 ) by /bin/bash[maildrop:5583] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5573] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.070995] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c echo $LISTNAMEDOT|sed 's/\.//g' ) by /bin/bash[maildrop:5584] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5573] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.073340] grsec: (miro:U:/) exec of /bin/sed (sed s/\.//g ) by /bin/sed[bash:5586] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5584] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.075230] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c test -d ${FOLDERS}${MYFOLDER}.${F2MKlevel2} ) by /bin/bash[maildrop:5587] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5573] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.257453] grsec: (miro:U:/usr/bin/maildrop) exec of /usr/bin/maildrop (/usr/bin/maildrop ) by /usr/bin/maildrop[getmail:5588] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/python-exec/python2.7/getmail[getmail:5566] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.260096] grsec: (miro:U:/usr/bin/maildrop) chdir to /home/miro by /usr/bin/maildrop[maildrop:5588] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/python-exec/python2.7/getmail[getmail:5566] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.261346] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c test -d $DEFAULT ) by /bin/bash[maildrop:5589] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5588] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.267861] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c reformail -u'X-getmail-retrieved-from-mailbox: .*' ) by /bin/bash[maildrop:5590] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5588] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.271420] grsec: (miro:U:/) exec of /usr/bin/reformail (reformail -uX-getmail-retrieved-from-mailbox: .* ) by /usr/bin/reformail[bash:5590] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5588] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.275090] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c ${REFORMAIL} -D 524288 $HOME/.duplicate.cache ) by /bin/bash[maildrop:5591] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5588] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.277299] grsec: (miro:U:/) exec of /usr/bin/reformail (/usr/bin/reformail -D 524288 /home/miro/.duplicate.cache ) by /usr/bin/reformail[bash:5591] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5588] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.282716] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c echo $MYFOLDERDOT|sed 's/\.//g' ) by /bin/bash[maildrop:5592] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5588] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.284734] grsec: (miro:U:/) exec of /bin/sed (sed s/\.//g ) by /bin/sed[bash:5594] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5592] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.286185] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c test -d ${FOLDERS}$F2MKlevel1 ) by /bin/bash[maildrop:5595] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5588] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.288187] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c echo $LISTNAMEDOT|sed 's/\.//g' ) by /bin/bash[maildrop:5596] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5588] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.290713] grsec: (miro:U:/) exec of /bin/sed (sed s/\.//g ) by /bin/sed[bash:5598] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5596] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.292313] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c test -d ${FOLDERS}${MYFOLDER}.${F2MKlevel2} ) by /bin/bash[maildrop:5599] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5588] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.439346] grsec: (miro:U:/usr/bin/maildrop) exec of /usr/bin/maildrop (/usr/bin/maildrop ) by /usr/bin/maildrop[getmail:5600] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/python-exec/python2.7/getmail[getmail:5566] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.451232] grsec: (miro:U:/usr/bin/maildrop) chdir to /home/miro by /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/python-exec/python2.7/getmail[getmail:5566] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.452916] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c test -d $DEFAULT ) by /bin/bash[maildrop:5601] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.456616] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c reformail -u'X-getmail-retrieved-from-mailbox: .*' ) by /bin/bash[maildrop:5602] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.458362] grsec: (miro:U:/) exec of /usr/bin/reformail (reformail -uX-getmail-retrieved-from-mailbox: .* ) by /usr/bin/reformail[bash:5602] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.464238] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c ${REFORMAIL} -D 524288 $HOME/.duplicate.cache ) by /bin/bash[maildrop:5603] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.465971] grsec: (miro:U:/) exec of /usr/bin/reformail (/usr/bin/reformail -D 524288 /home/miro/.duplicate.cache ) by /usr/bin/reformail[bash:5603] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.471626] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c echo $MYFOLDERDOT|sed 's/\.//g' ) by /bin/bash[maildrop:5604] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.473651] grsec: (miro:U:/) exec of /bin/sed (sed s/\.//g ) by /bin/sed[bash:5606] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5604] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.482112] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c test -d ${FOLDERS}$F2MKlevel1 ) by /bin/bash[maildrop:5607] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.488103] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c echo $LISTNAMEDOT|sed 's/\.//g' ) by /bin/bash[maildrop:5608] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.490498] grsec: (miro:U:/) exec of /bin/sed (sed s/\.//g ) by /bin/sed[bash:5610] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5608] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.492418] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c test -d ${FOLDERS}${MYFOLDER}.${F2MKlevel2} ) by /bin/bash[maildrop:5611] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.494476] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c ${MAILDIRMAKE} -f "${MYFOLDER}.${F2MKlevel2}" "$DEFAULT" ) by /bin/bash[maildrop:5612] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.506138] grsec: (miro:U:/) exec of /usr/bin/maildirmake (/usr/bin/maildirmake -f mirorovis@croatiafidelishr.mailmanwiresharkorg /home/miro/Maildir ) by /usr/bin/maildirmake[bash:5612] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.520944] grsec: (miro:U:/bin/bash) exec of /bin/bash (bash -c ${ECHO} "$NEWFOLDERMSG" | ${MAIL} -s "$NEWFOLDERMSG" $LOGNAME ) by /bin/bash[maildrop:5613] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/maildrop[maildrop:5600] uid/euid:1000/1000 gid/egid:1000/1000
Aug 27 09:22:31 g0n kernel: [ 4410.527213] grsec: (miro:U:/) exec of /bin/echo (/bin/echo /home/miro/Maildir/.mirorovis@croatiafidelishr.mailmanwiresharkorg list folder created ) by /bin/echo[bash:5614] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5613] uid/euid:1000/1000 gid/egid:1000/1000

The last line above is something that I had set in the maildrop configuration, the call for maildirmake. And I programmed with maildir configs the line below! See, in this whole log, there is only one instance of calling /usr/bin/mail in this whole log...

And it dawned on me here that I wasn't looking at an intrusion attempt, but... But at RBAC policy new tweak that was missing on my part. So before preparing more for posting, here is what I wrote in this meantime:

http://sourceforge.net/p/courier/mailma ... /34410651/

and the third post on Gentoo Forums:

2yrs old old maildrop still in portage, OK?
https://forums.gentoo.org/viewtopic-t-1 ... ml#7805476

[code]

I'll continue in the next post
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: I need to fix RBAC policy for maildrop

Postby timbgo » Thu Aug 27, 2015 12:31 pm

How maildrop is set to send mail, and why, you can see in the old .mailfilter which I posted two yrs ago (and the know-how is the same, so the old maildrop is fine for understanding the concept)... Let's find it...

You can go from here:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-9 ... ml#7613902

but better either:

Namespace with/without on dovecot server on/off and issues
https://www.mail-archive.com/mutt-users ... 47118.html

or:

Dovecot namespace solved while writing; preparing to refilter
http://www.dovecot.org/list/dovecot/201 ... 92842.html

There are newer that I posted, the .mailfilter file with includes, but can't find them right now.

There is in all those the line such as:

Code: Select all
...
 `${ECHO} "$NEWFOLDERMSG" | ${MAIL} -s "$NEWFOLDERMSG" $LOGNAME`
...


or:
Code: Select all
        # notify the user when new folders are created
        NEWFOLDERMSG="${FOLDERS} folder created"
        `${ECHO} "$NEWFOLDERMSG" | ${MAIL} -s "$NEWFOLDERMSG" $LOGNAME`

which calls in sendmail, as in the log in the previous post.

I need to give the permission to maildrop to call sendmail, and then I won't have this issue anymore.

But I need some rest first.

I hope this post help newbies (at least a little) in understanding of using logs to understand what happens in their systems, and then in using the logs to fix RBAC policies.

I may not be soon to complete this topic, but the most important is there, concerning my previous quest that went partly in the wrong direction, as seen from the Maildir ML and Gentoo Forums topic.

Regards!

Miroslav Rovis
http://www.CroatiaFidelis.hr
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: I need to fix RBAC policy for maildrop

Postby timbgo » Tue Sep 22, 2015 10:47 am

For the following real excerpt out my /var/log/messages (well except to replacing my username with ukra, short for ukrainian), I used, in Vim, this command, which got me rid of, it happens to be, 740 lines (it's mostly Vim changing dir, and it does it a lot, and I have the audit_chdir on, along with exec_logging, newbies: find it in the Help in your kernel, under grsecurity)
Code: Select all
:%s/.*chdir to \/root by \/usr\/bin\/vim.*\n\|.*chdir to \/etc\/vim by \/usr\/bin\/vim.*\n\|.*chdi r to \/usr\/share\/vim.*\n//gc

I didn't mark with ...[cut XX lines out]... No time.
But I then removed other stuff, such as after I issued the command:
Code: Select all
# /etc/init.d/syslog-ng restart ; /etc/init.d/dcron restart ; /etc/init.d/postfix restart ;

which for some arcane reason I need to do after first:
Code: Select all
# gradm -D

and, second, updating my /etc/grsec/policy with the new copy with the new entries, in this case, with the policy for /usr/bin/mail, and then, third, re-enabling gradm:
Code: Select all
# gradm -E


I was saying [I then removed other stuff], which is not of much concern here, such as the huge logging of all the exec'ing and chdir's by those restarting of the syslog-ng, dcron and postfix services, from the real excerpt from my /var/log/messages.

I mostly didn't mark those places with ...[cut XX lines out]... No time.


What you'll see in the < 40k excerpt from the log that follows last in, no: I decide now, in the next post, standalone, however, corresponds to what I was trying in this terminal that I am, before posting that log, pasting in here...

The log in the next post, again, corresponds to what I was trying here, and each time I edited and updated with new version my /etc/grsec/policy, things here, and in the corresponding log, changed:
Code: Select all
ukra@box ~ $ MAIL="/usr/bin/mail"
ukra@box ~ $ echo $MAIL
/usr/bin/mail
ukra@box ~ $ echo "Trying things" | $MAIL -s "Trying things
> 2^C
ukra@box ~ $ echo "Trying things" | $MAIL -s "Trying things" $LOGNAME
mail: /usr/sbin/sendmail: Permission denied
Can't send mail: sendmail process failed with error code 1
ukra@box ~ $ echo "Trying things" | mail -s "Trying things" $LOGNAME
mail: /usr/sbin/sendmail: Permission denied
Can't send mail: sendmail process failed with error code 1
ukra@box ~ $ echo "Trying things" | mail -s "Trying things" ukra
mail: /usr/sbin/sendmail: Permission denied
Can't send mail: sendmail process failed with error code 1
ukra@box ~ $ mail -s "Trying things" ukra
asdfasf
Cc: ^C
(Interrupt -- one more to kill letter)
Cc:
mail: /usr/sbin/sendmail: Permission denied
Can't send mail: sendmail process failed with error code 1
ukra@box ~ $ man mail
ukra@box ~ $ mail -s "Trying things" ukra



~                                                                                                   

~                                                                                                   

adf

asdfadf
Cc:

 which mail: /usr/sbin/sendmail: Permission denied
Can't send mail: sendmail process failed with error code 1
ukra@box ~ $ mail -s "Trying things" ukra
bash: /usr/bin/mail: No such file or directory
ukra@box ~ $ mail -s "Trying things" ukra
bash: /usr/bin/mail: No such file or directory
ukra@box ~ $ mail -s "Trying things" ukra
mail: error while loading shared libraries: liblockfile.so.1: cannot open shared object file: Permission denied
ukra@box ~ $
ukra@box ~ $
ukra@box ~ $ mail -s "Trying things" ukra
mail: error while loading shared libraries: liblockfile.so.1: cannot open shared object file: Permission denied
ukra@box ~ $
ukra@box ~ $
ukra@box ~ $ mail -s "Trying things" ukra
mail: /tmp/mail.RsXXXXOYgAzX: No such file or directory
ukra@box ~ $ mail -s "Trying things" ukra
aasdfasf
ff

EOT
ukra@box ~ $ mail -s "Trying things" ukra
afa
afasdf

asdf

EOT
ukra@box ~ $


To cut it short, the last two attempts at sending (local) mail, were both successful, just the postfix's services, from qmgr to sendmail, wouldn't send it without the restart mentioned above.

So both the bottom ones have arrived. Have a look:
Code: Select all
  34     15-09-22 ukra@localdomai (0.1K) Trying things
  35     15-09-22 ukra@localdomai (0.1K) Trying things
-*-Mutt: ~/Maildir/ [Msgs:35 New:2 Old:1 Flag:2 Post:51 Inc:69 2
Return-Path: <ukra@localdomain>
X-Original-To: ukra
Delivered-To: ukra@localdomain
Received: by gbn.localdomain (Postfix, from userid 1000)
id 598DE3810FA; Tue, 22 Sep 2015 14:49:20 +0200 (CEST)
To: ukra@localdomain
Subject: Trying things
Message-Id: <20150922124920.598DE3810FA@gbn.localdomain>
Date: Tue, 22 Sep 2015 14:49:20 +0200 (CEST)
From: ukra@localdomain

aasdfasf
ff






-   - 34/35: ukra@localdomain       Trying things       -- (all)

and:
Code: Select all
  35     15-09-22 ukra@localdomai (0.1K) Trying things
-*-Mutt: ~/Maildir/ [Msgs:35 New:2 Old:1 Flag:2 Post:51 Inc:69 2
Return-Path: <ukra@localdomain>
X-Original-To: ukra
Delivered-To: ukra@localdomain
Received: by gbn.localdomain (Postfix, from userid 1000)
id 79A05381566; Tue, 22 Sep 2015 14:50:17 +0200 (CEST)
To: ukra@localdomain
Subject: Trying things
Message-Id: <20150922125017.79A05381566@gbn.localdomain>
Date: Tue, 22 Sep 2015 14:50:17 +0200 (CEST)
From: ukra@localdomain

afa
afasdf

asdf




-   - 35/35: ukra@localdomain       Trying things       -- (all)


And only in the third post will be the new entry for role ukrainian, subject /usr/bin/mail, so newbies can first try and think what is needed to do, and only then look up my solution.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: I need to fix RBAC policy for maildrop

Postby timbgo » Tue Sep 22, 2015 10:49 am

Code: Select all
[Sep 22 14:31:24 gbn kernel: [373177.587684] grsec: (admin:S:/) exec of /usr/bin/vim (vi grsec_150922_gbn_00 ) by /usr/bin/vim[bash:7801] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3410] uid/euid:0/0 gid/egid:0/0
Sep 22 14:31:24 gbn kernel: [373177.940140] grsec: (admin:S:/) chdir to /root/.vim by /usr/bin/vim[vi:7801] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3410] uid/euid:0/0 gid/egid:0/0
Sep 22 14:34:35 gbn kernel: [373368.892646] grsec: (admin:S:/) exec of /usr/bin/diff (diff grsec_150922_gbn_00 /etc/grsec/policy ) by /usr/bin/diff[bash:7804] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:34:38 gbn kernel: [373371.547320] grsec: (admin:S:/) exec of /bin/cp (cp -iav grsec_150922_gbn_00 /etc/grsec/policy ) by /bin/cp[bash:7807] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:34:41 gbn kernel: [373374.800796] grsec: (admin:S:/) exec of /sbin/gradm (gradm -D ) by /sbin/gradm[bash:7808] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:34:44 gbn kernel: [373377.904698] grsec: shutdown auth success for /sbin/gradm[gradm:7808] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:34:44 gbn kernel: [373377.913323] grsec: exec of /sbin/grlearn (/sbin/grlearn -stop ) by /sbin/grlearn[gradm:7809] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 22 14:34:46 gbn kernel: [373379.390485] grsec: exec of /sbin/gradm (gradm -E ) by /sbin/gradm[bash:7810] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:34:46 gbn kernel: [373379.392525] grsec: chdir to /etc/grsec by /sbin/gradm[gradm:7810] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:34:47 gbn kernel: [373380.515177] grsec: (root:U:/sbin/gradm) grsecurity 3.1 RBAC system loaded by /sbin/gradm[gradm:7810] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:34:50 gbn kernel: [373383.538945] grsec: (root:U:/sbin/gradm) exec of /sbin/gradm (gradm -a admin ) by /sbin/gradm[bash:7811] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0

This one line below is just me mistyping admin password:
Code: Select all
Sep 22 14:34:53 gbn kernel: [373386.488610] grsec: (root:U:/sbin/gradm) special role admin failure for /sbin/gradm[gradm:7811] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:34:54 gbn kernel: [373387.519481] grsec: (root:U:/sbin/gradm) exec of /sbin/gradm (gradm -a admin ) by /sbin/gradm[bash:7812] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:34:57 gbn kernel: [373390.246862] grsec: (root:U:/sbin/gradm) successful change to special role admin (id 18) by /sbin/gradm[gradm:7812] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:34:59 gbn kernel: [373392.483517] grsec: (ukra:U:/usr/bin/man) chdir to /home/ukra/Maidir-TMP by /usr/bin/man[man:7739] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:35:01 gbn kernel: [373394.472140] grsec: (ukra:U:/) exec of /usr/bin/mail (mail -s Trying things ukra ) by /usr/bin/mail[bash:7813] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:35:22 gbn kernel: [373415.495727] grsec: (ukra:U:/) denied execution of /usr/sbin/sendmail by /usr/bin/mail[mail:7814] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mail[mail:7813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:39:33 gbn kernel: [373666.412505] grsec: (admin:S:/) exec of /usr/bin/diff (diff grsec_150922_gbn_00 /etc/grsec/policy ) by /usr/bin/diff[bash:7817] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:39:40 gbn kernel: [373674.133265] grsec: (admin:S:/) exec of /bin/ls (ls --color=auto -l grsec_150922_gbn_00 /etc/grsec/policy ) by /bin/ls[bash:7820] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:39:58 gbn kernel: [373692.082799] grsec: (admin:S:/) exec of /bin/cp (cp -iav grsec_150922_gbn_00 /etc/grsec/policy ) by /bin/cp[bash:7821] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:40:01 gbn kernel: [373694.861349] grsec: (admin:S:/) exec of /sbin/gradm (gradm -D ) by /sbin/gradm[bash:7824] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0

What is below, is what still puzzles me. It's not really connected to solving the maildrop sending mail by my own configuration, but I use the occasion to show what I will need to figure out about some day, and can't now. This I don't get, the why, of:
Code: Select all
Sep 22 14:40:01 gbn crond[7825]: setreuid failed: root 0
Sep 22 14:40:01 gbn crond[7825]: unable to ChangeUser (user root test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
Sep 22 14:40:01 gbn kernel: [373694.916145] grsec: (root:U:/usr/sbin/crond) change to uid 0 denied for /usr/sbin/crond[crond:7825] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/crond[crond:11737] uid/euid:0/0 gid/egid:0/0

These, apart from my comments that you are reading, are chronological, I try to post real logs always. As you can see cron was, at its time, doing it unsuccessfully exactly when I logged out of admin role.

The thing is, when I see these lines with "crond[.....]: exit status 1" I know I need to restart syslog-ng, dcron, and postfix, and all works again. What is missing in my /etc/grsec/policy to have this issue?
Code: Select all
Sep 22 14:40:01 gbn crond[11737]: exit status 1 from user root test -x /usr/sbin/run-crons && /usr/sbin/run-crons
Sep 22 14:40:06 gbn kernel: [373699.447790] grsec: shutdown auth success for /sbin/gradm[gradm:7824] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:40:06 gbn kernel: [373699.448527] grsec: exec of /sbin/grlearn (/sbin/grlearn -stop ) by /sbin/grlearn[gradm:7826] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 22 14:40:07 gbn kernel: [373700.897157] grsec: exec of /sbin/gradm (gradm -E ) by /sbin/gradm[bash:7827] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:40:07 gbn kernel: [373700.898534] grsec: chdir to /etc/grsec by /sbin/gradm[gradm:7827] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:40:12 gbn kernel: [373706.038354] grsec: exec of /usr/bin/vim (vi grsec_150922_gbn_00 ) by /usr/bin/vim[bash:7828] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3410] uid/euid:0/0 gid/egid:0/0
Sep 22 14:40:12 gbn kernel: [373706.069488] grsec: chdir to /root/.vim by /usr/bin/vim[vi:7828] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3410] uid/euid:0/0 gid/egid:0/0
Sep 22 14:40:42 gbn kernel: [373735.712584] grsec: exec of /bin/cp (cp -iav grsec_150922_gbn_00 /etc/grsec/policy ) by /bin/cp[bash:7830] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:40:44 gbn kernel: [373737.541783] grsec: exec of /sbin/gradm (gradm -E ) by /sbin/gradm[bash:7833] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:40:44 gbn kernel: [373737.543837] grsec: chdir to /etc/grsec by /sbin/gradm[gradm:7833] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:40:44 gbn kernel: [373737.592519] grsec: (root:U:/sbin/gradm) grsecurity 3.1 RBAC system loaded by /sbin/gradm[gradm:7833] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0

After this unsuccessful try, I changed a bit in the (manually, without learning, I did it this time) subject /usr/bin/mail new RBAC entry. What needs to be changed/added/whatever?

That question applies to whomever is reading this in his attempt to learn grsecurity RBAC policy deployment, also for other "...denied..." lines below. Just don't get into all the details too deep, it's the main functionalies, just a few altogether that will need changing.
Code: Select all
Sep 22 14:40:48 gbn kernel: [373741.329160] grsec: (ukra:U:/usr/bin/mail) exec of /usr/bin/mail (mail -s Trying things ukra ) by /usr/bin/mail[bash:7834] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:40:48 gbn kernel: [373741.329222] grsec: (ukra:U:/usr/bin/mail) denied access to hidden file /lib64/ld-2.21.so by /usr/bin/mail[bash:7834] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:40:48 gbn kernel: [373741.329389] grsec: (ukra:U:/bin/bash) denied open of /usr/bin/mail for reading by /bin/bash[bash:7834] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:41:06 gbn kernel: [373759.904725] grsec: (root:U:/bin/bash) denied access to hidden file /usr/share/texmf-dist/scripts/match_parens/match_parens by /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3158] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:41:06 gbn kernel: [373759.904785] grsec: (root:U:/bin/bash) denied access to hidden file /usr/share/texmf-dist/scripts/match_parens/match_parens by /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3158] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:41:06 gbn kernel: [373759.935369] grsec: (root:U:/bin/bash) denied access to hidden file /usr/share/texmf-dist/scripts/mathspic/mathspic.pl by /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3158] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:41:06 gbn kernel: [373759.935430] grsec: (root:U:/bin/bash) denied access to hidden file /usr/share/texmf-dist/scripts/mathspic/mathspic.pl by /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3158] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:41:07 gbn kernel: [373761.233695] grsec: (root:U:/bin/ls) exec of /bin/ls (ls --color=auto -l /usr/bin/mail ) by /bin/ls[bash:7837] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:41:07 gbn kernel: [373761.236380] grsec: more alerts, logging disabled for 10 seconds
Sep 22 14:41:12 gbn kernel: [373765.362215] grsec: (root:U:/sbin/gradm) exec of /sbin/gradm (gradm -a admin ) by /sbin/gradm[bash:7838] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:41:15 gbn kernel: [373769.328444] grsec: (admin:S:/) exec of /bin/ls (ls --color=auto -l /usr/bin/mail ) by /bin/ls[bash:7839] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:41:18 gbn kernel: [373771.606422] grsec: (ukra:U:/usr/bin/mail) exec of /usr/bin/mail (mail -s Trying things ukra ) by /usr/bin/mail[bash:7840] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:41:18 gbn kernel: [373771.606484] grsec: (ukra:U:/usr/bin/mail) denied access to hidden file /lib64/ld-2.21.so by /usr/bin/mail[bash:7840] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:41:18 gbn kernel: [373771.606652] grsec: (ukra:U:/bin/bash) denied open of /usr/bin/mail for reading by /bin/bash[bash:7840] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:41:44 gbn kernel: [373798.109261] grsec: (root:U:/usr/bin/vim) exec of /usr/bin/vim (vi grsec_150922_gbn_00 ) by /usr/bin/vim[bash:7841] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3410] uid/euid:0/0 gid/egid:0/0
Sep 22 14:41:44 gbn kernel: [373798.141253] grsec: (root:U:/usr/bin/vim) chdir to /root/.vim by /usr/bin/vim[vi:7841] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3410] uid/euid:0/0 gid/egid:0/0
Sep 22 14:42:30 gbn kernel: [373844.340477] grsec: (admin:S:/) exec of /usr/bin/diff (diff grsec_150922_gbn_00 /etc/grsec/policy ) by /usr/bin/diff[bash:7845] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:42:35 gbn kernel: [373849.046498] grsec: (admin:S:/) exec of /bin/mv (mv -vi grsec_150922_gbn_00 grsec_150922_gbn_01 ) by /bin/mv[bash:7847] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:42:44 gbn kernel: [373857.495426] grsec: (admin:S:/) exec of /bin/cp (cp -iav /etc/grsec/policy grsec_150922_gbn_00 ) by /bin/cp[bash:7849] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:42:48 gbn kernel: [373861.453932] grsec: (admin:S:/) exec of /usr/bin/diff (diff grsec_150922_gbn_01 /etc/grsec/policy ) by /usr/bin/diff[bash:7850] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:42:50 gbn kernel: [373863.858632] grsec: (admin:S:/) exec of /bin/cp (cp -iav grsec_150922_gbn_01 /etc/grsec/policy ) by /bin/cp[bash:7851] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:42:52 gbn kernel: [373865.837497] grsec: (admin:S:/) exec of /sbin/gradm (gradm -D ) by /sbin/gradm[bash:7852] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:42:54 gbn kernel: [373868.387990] grsec: shutdown auth success for /sbin/gradm[gradm:7852] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:42:54 gbn kernel: [373868.388655] grsec: exec of /sbin/grlearn (/sbin/grlearn -stop ) by /sbin/grlearn[gradm:7853] uid/euid:0/0 gid/egid:0/0, parent /[gradm:7852] uid/euid:0/0 gid/egid:0/0
Sep 22 14:42:56 gbn kernel: [373869.477042] grsec: exec of /sbin/gradm (gradm -E ) by /sbin/gradm[bash:7854] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:42:56 gbn kernel: [373869.479080] grsec: chdir to /etc/grsec by /sbin/gradm[gradm:7854] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:42:56 gbn kernel: [373869.527315] grsec: (root:U:/sbin/gradm) grsecurity 3.1 RBAC system loaded by /sbin/gradm[gradm:7854] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:42:58 gbn kernel: [373871.836144] grsec: (ukra:U:/usr/bin/mail) exec of /usr/bin/mail (mail -s Trying things ukra ) by /usr/bin/mail[bash:7855] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:42:58 gbn kernel: [373871.837022] grsec: (ukra:U:/usr/bin/mail) denied access to hidden file /etc/ld.so.cache by /usr/bin/mail[mail:7855] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:42:58 gbn kernel: [373871.837141] grsec: (ukra:U:/usr/bin/mail) denied access to hidden file /lib64 by /usr/bin/mail[mail:7855] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:42:58 gbn kernel: [373871.837248] grsec: more alerts, logging disabled for 10 seconds
Sep 22 14:43:29 gbn kernel: [373902.450169] grsec: (root:U:/usr/bin/vim) exec of /usr/bin/vim (vi grsec_150922_gbn_01 ) by /usr/bin/vim[bash:7856] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3410] uid/euid:0/0 gid/egid:0/0
Sep 22 14:43:29 gbn kernel: [373902.480975] grsec: (root:U:/usr/bin/vim) chdir to /root/.vim by /usr/bin/vim[vi:7856] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3410] uid/euid:0/0 gid/egid:0/0
Sep 22 14:44:45 gbn kernel: [373979.377688] grsec: (root:U:/usr/bin/diff) exec of /usr/bin/diff (diff grsec_150922_gbn_01 /etc/grsec/policy ) by /usr/bin/diff[bash:7860] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:44:45 gbn kernel: [373979.380159] grsec: (root:U:/usr/bin/diff) denied access to hidden file /root/grsec_150922_gbn_01 by /usr/bin/diff[diff:7860] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:44:45 gbn kernel: [373979.380199] grsec: (root:U:/usr/bin/diff) denied access to hidden file /etc/grsec/policy by /usr/bin/diff[diff:7860] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:44:48 gbn kernel: [373981.747868] grsec: (root:U:/sbin/gradm) exec of /sbin/gradm (gradm -D ) by /sbin/gradm[bash:7864] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:44:50 gbn kernel: [373984.349691] grsec: shutdown auth success for /sbin/gradm[gradm:7864] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:44:50 gbn kernel: [373984.350836] grsec: exec of /sbin/grlearn (/sbin/grlearn -stop ) by /sbin/grlearn[gradm:7865] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 22 14:44:51 gbn kernel: [373985.465996] grsec: exec of /usr/bin/diff (diff grsec_150922_gbn_01 /etc/grsec/policy ) by /usr/bin/diff[bash:7866] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:44:55 gbn kernel: [373988.547485] grsec: exec of /bin/cp (cp -iav grsec_150922_gbn_01 /etc/grsec/policy ) by /bin/cp[bash:7867] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:44:57 gbn kernel: [373991.240707] grsec: exec of /sbin/gradm (gradm -E ) by /sbin/gradm[bash:7868] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:44:57 gbn kernel: [373991.242803] grsec: chdir to /etc/grsec by /sbin/gradm[gradm:7868] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:44:57 gbn kernel: [373991.288071] grsec: (root:U:/sbin/gradm) grsecurity 3.1 RBAC system loaded by /sbin/gradm[gradm:7868] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:45:01 gbn kernel: [373995.451770] grsec: (ukra:U:/usr/bin/mail) exec of /usr/bin/mail (mail -s Trying things ukra ) by /usr/bin/mail[bash:7869] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:45:01 gbn kernel: [373995.452772] grsec: (ukra:U:/usr/bin/mail) denied open of /usr/lib64/liblockfile.so.1.0 for reading by /usr/bin/mail[mail:7869] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:45:01 gbn kernel: [373995.452900] grsec: (ukra:U:/usr/bin/mail) denied open of /usr/lib64/liblockfile.so.1.0 for reading by /usr/bin/mail[mail:7869] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:45:34 gbn kernel: [374028.417661] grsec: (root:U:/bin/cp) exec of /bin/cp (cp -aiv grsec_150922_gbn_01 grsec_150922_gbn_02 ) by /bin/cp[bash:7870] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:45:42 gbn kernel: [374036.054791] grsec: (root:U:/usr/bin/vim) exec of /usr/bin/vim (vi grsec_150922_gbn_02 ) by /usr/bin/vim[bash:7873] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3410] uid/euid:0/0 gid/egid:0/0
Sep 22 14:45:42 gbn kernel: [374036.086652] grsec: (root:U:/usr/bin/vim) chdir to /root/.vim by /usr/bin/vim[vi:7873] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3410] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:22 gbn kernel: [374076.076560] grsec: (root:U:/bin/cp) exec of /bin/cp (cp -iav grsec_150922_gbn_02 /etc/grsec/policy ) by /bin/cp[bash:7875] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:22 gbn kernel: [374076.079111] grsec: (root:U:/bin/cp) denied access to hidden file /etc/grsec/policy by /bin/cp[cp:7875] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:22 gbn kernel: [374076.079177] grsec: (root:U:/bin/cp) denied access to hidden file /etc/grsec/policy by /bin/cp[cp:7875] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:22 gbn kernel: [374076.079616] grsec: (root:U:/bin/cp) denied access to hidden file /etc/grsec by /bin/cp[cp:7875] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:27 gbn kernel: [374080.823631] grsec: (root:U:/sbin/gradm) exec of /sbin/gradm (gradm -D ) by /sbin/gradm[bash:7878] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:30 gbn kernel: [374083.762925] grsec: shutdown auth success for /sbin/gradm[gradm:7878] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:30 gbn kernel: [374083.763666] grsec: exec of /sbin/grlearn (/sbin/grlearn -stop ) by /sbin/grlearn[gradm:7879] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:31 gbn kernel: [374084.686737] grsec: exec of /bin/cp (cp -iav grsec_150922_gbn_02 /etc/grsec/policy ) by /bin/cp[bash:7880] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:33 gbn kernel: [374087.445875] grsec: exec of /usr/bin/diff (diff grsec_150922_gbn_02 /etc/grsec/policy ) by /usr/bin/diff[bash:7881] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:35 gbn kernel: [374088.695168] grsec: exec of /bin/cp (cp -iav grsec_150922_gbn_02 /etc/grsec/policy ) by /bin/cp[bash:7882] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:41 gbn kernel: [374094.599675] grsec: exec of /sbin/gradm (gradm -E ) by /sbin/gradm[bash:7883] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:41 gbn kernel: [374094.601716] grsec: chdir to /etc/grsec by /sbin/gradm[gradm:7883] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:41 gbn kernel: [374094.646091] grsec: (root:U:/sbin/gradm) grsecurity 3.1 RBAC system loaded by /sbin/gradm[gradm:7883] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:46:43 gbn kernel: [374097.450125] grsec: (ukra:U:/usr/bin/mail) exec of /usr/bin/mail (mail -s Trying things ukra ) by /usr/bin/mail[bash:7884] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:46:43 gbn kernel: [374097.452398] grsec: (ukra:U:/usr/bin/mail) denied access to hidden file /etc/mail.rc by /usr/bin/mail[mail:7884] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:46:43 gbn kernel: [374097.452534] grsec: (ukra:U:/usr/bin/mail) denied access to hidden file /tmp by /usr/bin/mail[mail:7884] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:47:15 gbn kernel: [374129.265776] grsec: (root:U:/bin/cp) exec of /bin/cp (cp -aiv grsec_150922_gbn_02 grsec_150922_gbn_03 ) by /bin/cp[bash:7885] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:47:59 gbn kernel: [374172.737075] grsec: (root:U:/usr/bin/diff) exec of /usr/bin/diff (diff grsec_150922_gbn_02 grsec_150922_gbn_03 ) by /usr/bin/diff[bash:7888] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:47:59 gbn kernel: [374172.739487] grsec: (root:U:/usr/bin/diff) denied access to hidden file /root/grsec_150922_gbn_02 by /usr/bin/diff[diff:7888] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:47:59 gbn kernel: [374172.739524] grsec: (root:U:/usr/bin/diff) denied access to hidden file /root/grsec_150922_gbn_03 by /usr/bin/diff[diff:7888] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:48:02 gbn kernel: [374176.172313] grsec: (root:U:/sbin/gradm) exec of /sbin/gradm (gradm -D ) by /sbin/gradm[bash:7891] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:48:05 gbn kernel: [374178.906525] grsec: shutdown auth success for /sbin/gradm[gradm:7891] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:48:05 gbn kernel: [374178.907180] grsec: exec of /sbin/grlearn (/sbin/grlearn -stop ) by /sbin/grlearn[gradm:7892] uid/euid:0/0 gid/egid:0/0, parent /[gradm:7891] uid/euid:0/0 gid/egid:0/0
Sep 22 14:48:06 gbn kernel: [374179.731402] grsec: exec of /usr/bin/diff (diff grsec_150922_gbn_02 grsec_150922_gbn_03 ) by /usr/bin/diff[bash:7893] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:48:11 gbn kernel: [374185.313246] grsec: exec of /bin/ls (ls --color=auto -l grsec_150922_gbn_02 grsec_150922_gbn_03 ) by /bin/ls[bash:7894] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:48:23 gbn kernel: [374196.963354] grsec: exec of /bin/mv (mv -iv grsec_150922_gbn_02 /etc/grsec/policy ) by /bin/mv[bash:7895] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:48:31 gbn kernel: [374204.859847] grsec: exec of /bin/mv (mv -iv grsec_150922_gbn_03 grsec_150922_gbn_02 ) by /bin/mv[bash:7898] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:48:55 gbn kernel: [374229.554052] grsec: exec of /bin/cp (cp -iav /etc/grsec/policy grsec_150922_gbn_03 ) by /bin/cp[bash:7899] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:48:58 gbn kernel: [374231.830179] grsec: exec of /usr/bin/diff (diff grsec_150922_gbn_02 grsec_150922_gbn_03 ) by /usr/bin/diff[bash:7902] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:06 gbn kernel: [374239.749403] grsec: exec of /sbin/gradm (gradm -E ) by /sbin/gradm[bash:7903] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:06 gbn kernel: [374239.751460] grsec: chdir to /etc/grsec by /sbin/gradm[gradm:7903] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:06 gbn kernel: [374239.798040] grsec: (root:U:/sbin/gradm) grsecurity 3.1 RBAC system loaded by /sbin/gradm[gradm:7903] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:08 gbn kernel: [374242.432782] grsec: (ukra:U:/usr/bin/mail) exec of /usr/bin/mail (mail -s Trying things ukra ) by /usr/bin/mail[bash:7904] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:49:08 gbn kernel: [374242.435038] grsec: (ukra:U:/usr/bin/mail) denied access to hidden file /etc/mail.rc by /usr/bin/mail[mail:7904] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:49:20 gbn kernel: [374253.939655] grsec: (ukra:U:/usr/bin/mail) denied access to hidden file /etc/localtime by /usr/bin/mail[mail:7904] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:49:20 gbn kernel: [374253.940884] grsec: (ukra:U:/usr/sbin/sendmail) exec of /usr/sbin/sendmail (send-mail -i -- ukra ) by /usr/sbin/sendmail[mail:7905] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mail[mail:7904] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:49:20 gbn kernel: [374253.947060] grsec: (ukra:U:/usr/sbin/sendmail) chdir to /var/spool/postfix by /usr/sbin/sendmail[sendmail:7905] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mail[mail:7904] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:49:20 gbn kernel: [374253.947763] grsec: (ukra:U:/usr/sbin/postdrop) exec of /usr/sbin/postdrop (/usr/sbin/postdrop -r ) by /usr/sbin/postdrop[sendmail:7908] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/sbin/sendmail[sendmail:7905] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:49:20 gbn kernel: [374253.953209] grsec: (ukra:U:/usr/sbin/postdrop) chdir to /var/spool/postfix by /usr/sbin/postdrop[postdrop:7908] uid/euid:1000/1000 gid/egid:1000/208, parent /usr/sbin/sendmail[sendmail:7905] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:49:20 gbn kernel: [374253.979912] grsec: (root:U:/usr/libexec/postfix) exec of /usr/libexec/postfix/cleanup (cleanup -z -t unix -u ) by /usr/libexec/postfix/cleanup[master:7909] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:11869] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:20 gbn kernel: [374253.986147] grsec: (root:U:/usr/libexec/postfix) chdir to /var/spool/postfix by /usr/libexec/postfix/cleanup[cleanup:7909] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:11869] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:20 gbn postfix/pickup[7573]: 598DE3810FA: uid=1000 from=<ukra>
Sep 22 14:49:20 gbn kernel: [374253.987167] grsec: (root:U:/usr/libexec/postfix) exec of /usr/libexec/postfix/trivial-rewrite (trivial-rewrite -n rewrite -t unix -u ) by /usr/libexec/postfix/trivial-rewrite[master:7910] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:11869] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:20 gbn kernel: [374253.992917] grsec: (root:U:/usr/libexec/postfix) chdir to /var/spool/postfix by /usr/libexec/postfix/trivial-rewrite[trivial-rewrite:7910] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:11869] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:20 gbn postfix/cleanup[7909]: 598DE3810FA: message-id=<20150922124920.598DE3810FA@gbn.localdomain>
Sep 22 14:49:20 gbn postfix/qmgr[11871]: 598DE3810FA: from=<ukra@localdomain>, size=307, nrcpt=1 (queue active)
Sep 22 14:49:20 gbn kernel: [374254.020744] grsec: (root:U:/usr/libexec/postfix) exec of /usr/libexec/postfix/local (local -t unix ) by /usr/libexec/postfix/local[master:7911] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:11869] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:20 gbn kernel: [374254.026702] grsec: (root:U:/usr/libexec/postfix) chdir to /var/spool/postfix by /usr/libexec/postfix/local[local:7911] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:11869] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:20 gbn postfix/local[7911]: fatal: set_eugid: seteuid(0): Operation not permitted
Sep 22 14:49:20 gbn kernel: [374254.027577] grsec: (root:U:/usr/libexec/postfix) change to uid 0 denied for /usr/libexec/postfix/local[local:7911] uid/euid:0/207 gid/egid:0/207, parent /usr/libexec/postfix/master[master:11869] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:21 gbn postfix/qmgr[11871]: warning: private/local socket: malformed response
Sep 22 14:49:21 gbn postfix/qmgr[11871]: warning: transport local failure -- see a previous warning/fatal/panic logfile record for the problem description
Sep 22 14:49:21 gbn postfix/master[11869]: warning: process /usr/libexec/postfix/local pid 7911 exit status 1
Sep 22 14:49:21 gbn postfix/master[11869]: warning: /usr/libexec/postfix/local: bad command startup -- throttling
Sep 22 14:49:21 gbn kernel: [374255.038370] grsec: (root:U:/usr/libexec/postfix) exec of /usr/libexec/postfix/error (error -n retry -t unix -u ) by /usr/libexec/postfix/error[master:7913] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:11869] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:21 gbn kernel: [374255.047205] grsec: (root:U:/usr/libexec/postfix) chdir to /var/spool/postfix by /usr/libexec/postfix/error[error:7913] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:11869] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:21 gbn kernel: [374255.056839] grsec: (root:U:/usr/libexec/postfix) exec of /usr/libexec/postfix/bounce (bounce -z -n defer -t unix -u ) by /usr/libexec/postfix/bounce[master:7914] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:11869] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:21 gbn kernel: [374255.062081] grsec: (root:U:/usr/libexec/postfix) chdir to /var/spool/postfix by /usr/libexec/postfix/bounce[bounce:7914] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:11869] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:21 gbn postfix/error[7913]: 598DE3810FA: to=<ukra@localdomain>, orig_to=<ukra>, relay=none, delay=1.2, delays=0.07/1/0/0.07, dsn=4.3.0, status=deferred (unknown mail transport error)
Sep 22 14:49:47 gbn kernel: [374281.419496] grsec: (root:U:/bin/bash) denied execution of /etc/init.d/syslog-ng by /bin/bash[bash:7915] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:47 gbn kernel: [374281.419661] grsec: (root:U:/bin/bash) denied open of /etc/init.d/syslog-ng for reading by /bin/bash[bash:7915] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:47 gbn kernel: [374281.422082] grsec: (root:U:/bin/bash) denied execution of /etc/init.d/dcron by /bin/bash[bash:7918] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:47 gbn kernel: [374281.422231] grsec: (root:U:/bin/bash) denied open of /etc/init.d/dcron for reading by /bin/bash[bash:7918] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:47 gbn kernel: [374281.424444] grsec: more alerts, logging disabled for 10 seconds
Sep 22 14:49:56 gbn kernel: [374289.916557] grsec: (root:U:/sbin/gradm) exec of /sbin/gradm (gradm -a admin ) by /sbin/gradm[bash:7920] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:49:58 gbn kernel: [374292.629040] grsec: (root:U:/sbin/gradm) successful change to special role admin (id 20) by /sbin/gradm[gradm:7920] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:00 gbn kernel: [374293.713213] grsec: (admin:S:/) exec of /etc/init.d/syslog-ng (/etc/init.d/syslog-ng restart ) by /etc/init.d/syslog-ng[bash:7921] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:01 gbn kernel: [374295.416721] grsec: (admin:S:/) exec of /etc/init.d/dcron (/etc/init.d/dcron restart ) by /etc/init.d/dcron[bash:7982] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:01 gbn kernel: [374295.594007] grsec: (admin:S:/) exec of /etc/init.d/postfix (/etc/init.d/postfix restart ) by /etc/init.d/postfix[bash:8027] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10368] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:02 gbn kernel: [374296.562400] grsec: (admin:S:/) exec of /usr/libexec/postfix/qmgr (qmgr -l -t unix -u ) by /usr/libexec/postfix/qmgr[master:8153] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:8151] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:02 gbn kernel: [374296.563020] grsec: (admin:S:/) exec of /sbin/openrc (eend 0 ) by /sbin/openrc[openrc-run.sh:8154] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:8059] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:02 gbn kernel: [374296.571088] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/pickup[pickup:8152] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:8151] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:02 gbn kernel: [374296.578490] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/qmgr[qmgr:8153] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:8151] uid/euid:0/0 gid/egid:0/0

Here below is starts where that mail will be successfully sent. Find the line:
Sep 22 14:50:17 gbn postfix/cleanup[8164]: 79A05381566: message-id=<20150922125017.79A05381566@gbn.localdomain>
Code: Select all
Sep 22 14:50:06 gbn kernel: [374300.638488] grsec: (ukra:U:/usr/bin/mail) exec of /usr/bin/mail (mail -s Trying things ukra ) by /usr/bin/mail[bash:8159] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:50:17 gbn kernel: [374311.084218] grsec: (ukra:U:/usr/bin/mail) denied access to hidden file /etc/localtime by /usr/bin/mail[mail:8159] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:11813] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:50:17 gbn kernel: [374311.085437] grsec: (ukra:U:/usr/sbin/sendmail) exec of /usr/sbin/sendmail (send-mail -i -- ukra ) by /usr/sbin/sendmail[mail:8160] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mail[mail:8159] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:50:17 gbn kernel: [374311.091826] grsec: (ukra:U:/usr/sbin/sendmail) chdir to /var/spool/postfix by /usr/sbin/sendmail[sendmail:8160] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/mail[mail:8159] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:50:17 gbn kernel: [374311.092632] grsec: (ukra:U:/usr/sbin/postdrop) exec of /usr/sbin/postdrop (/usr/sbin/postdrop -r ) by /usr/sbin/postdrop[sendmail:8163] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/sbin/sendmail[sendmail:8160] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:50:17 gbn kernel: [374311.099465] grsec: (ukra:U:/usr/sbin/postdrop) chdir to /var/spool/postfix by /usr/sbin/postdrop[postdrop:8163] uid/euid:1000/1000 gid/egid:1000/208, parent /usr/sbin/sendmail[sendmail:8160] uid/euid:1000/1000 gid/egid:1000/1000
Sep 22 14:50:17 gbn kernel: [374311.145397] grsec: (admin:S:/) exec of /usr/libexec/postfix/cleanup (cleanup -z -t unix -u ) by /usr/libexec/postfix/cleanup[master:8164] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:8151] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:17 gbn postfix/pickup[8152]: 79A05381566: uid=1000 from=<ukra>
Sep 22 14:50:17 gbn kernel: [374311.150130] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/cleanup[cleanup:8164] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:8151] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:17 gbn kernel: [374311.151367] grsec: (admin:S:/) exec of /usr/libexec/postfix/trivial-rewrite (trivial-rewrite -n rewrite -t unix -u ) by /usr/libexec/postfix/trivial-rewrite[master:8165] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:8151] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:17 gbn postfix/cleanup[8164]: 79A05381566: message-id=<20150922125017.79A05381566@gbn.localdomain>
Sep 22 14:50:17 gbn kernel: [374311.155162] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/trivial-rewrite[trivial-rewrite:8165] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:8151] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:17 gbn postfix/qmgr[8153]: 79A05381566: from=<ukra@localdomain>, size=314, nrcpt=1 (queue active)
Sep 22 14:50:17 gbn kernel: [374311.186622] grsec: (admin:S:/) exec of /usr/libexec/postfix/local (local -t unix ) by /usr/libexec/postfix/local[master:8166] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:8151] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:17 gbn kernel: [374311.196906] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/local[local:8166] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:8151] uid/euid:0/0 gid/egid:0/0
Sep 22 14:50:17 gbn postfix/local[8166]: 79A05381566: to=<ukra@localdomain>, orig_to=<ukra>, relay=local, delay=0.13, delays=0.09/0.01/0/0.03, dsn=2.0.0, status=sent (delivered to maildir)
Sep 22 14:50:17 gbn postfix/qmgr[8153]: 79A05381566: removed
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: I need to fix RBAC policy for maildrop

Postby timbgo » Tue Sep 22, 2015 10:56 am

In essence, it's just these changes that I made to my /etc/grsec/policy file (I actually always find something non-related to remove or correct, but it outside the topic here):
Code: Select all
# Role: ukra
subject /usr/bin/mail o {
   /            h
   /usr
   /usr/sbin/sendmail   x
   /etc/ld.so.cache      r
   /lib64            rx
   /lib64/modules         h
   /tmp            rwcdl
   /usr/lib64         rx
   -CAP_ALL
   bind   disabled
   connect   disabled
}


Now let's see when my Maildrop will need to create new maildirs, will it be able to. Of course I'm not completely sure yet.

Miroslav Rovis
http://www.CroatiaFidelis.hr
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia


Return to RBAC policy development

cron