Help with my policy file

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Help with my policy file

Postby rocky » Wed Aug 18, 2004 7:39 pm

I'm probably missing something very easy here, but for whatever reason this isn't working.

From my "role root" section:
Code: Select all
...
subject /tmp/logrotate*
        /bin/chown              rx

subject /tmp/logrotate*:/bin/chown
        /var/log/mysql          rwxacdm
        /var/log/mysql/*        rwxacdm
        -CAP_ALL
        +CAP_CHOWN
....


(full policy @ http://rocky.mindphone.org/grsec/policy.192.168.0.2.txt )

But i'm still getting the following logged/denied:

Aug 18 06:26:12 schwa kernel: grsec: (root:U:/) denied chown of /var/log/mysql/mysql.err.4.gz by /bin/chown[chown:32673] uid/euid:0/0 gid/egid:0/0, parent /tmp/logrotate.6URgoP[logrotate.6URgo:29755] uid/euid:0/0 gid/egid:0/0

i could probably just define for the whole role that /bin/chown can chown /var/log/mysql/*...but i would prefer not to. Any help is much appreciated.
rocky
 
Posts: 19
Joined: Tue Dec 09, 2003 4:54 am

Postby spender » Fri Aug 20, 2004 10:18 am

Globbing isn't allowed for subjects yet. I would suggest maybe using a different log rotation program that doesn't do stupid things like executing randomly named files in /tmp.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron