Help with my policy file

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Help with my policy file

Postby rocky » Wed Aug 18, 2004 7:39 pm

I'm probably missing something very easy here, but for whatever reason this isn't working.

From my "role root" section:
Code: Select all
subject /tmp/logrotate*
        /bin/chown              rx

subject /tmp/logrotate*:/bin/chown
        /var/log/mysql          rwxacdm
        /var/log/mysql/*        rwxacdm

(full policy @ )

But i'm still getting the following logged/denied:

Aug 18 06:26:12 schwa kernel: grsec: (root:U:/) denied chown of /var/log/mysql/mysql.err.4.gz by /bin/chown[chown:32673] uid/euid:0/0 gid/egid:0/0, parent /tmp/logrotate.6URgoP[logrotate.6URgo:29755] uid/euid:0/0 gid/egid:0/0

i could probably just define for the whole role that /bin/chown can chown /var/log/mysql/*...but i would prefer not to. Any help is much appreciated.
Posts: 19
Joined: Tue Dec 09, 2003 4:54 am

Postby spender » Fri Aug 20, 2004 10:18 am

Globbing isn't allowed for subjects yet. I would suggest maybe using a different log rotation program that doesn't do stupid things like executing randomly named files in /tmp.

Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Return to RBAC policy development