ACL for exim

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

ACL for exim

Postby remote » Mon Oct 06, 2008 4:47 am

Hello , I have problem with exim4 , I try to send mail to local mailbox with command
mail -s test root
and see in log next msgs:

Oct 6 10:18:47 host2 kernel: grsec: From 192.168.191.13: (root:U:/usr/sbin/exim4) change to uid 5007 denied for /usr/sbin/exim4[exim4:14774] uid/euid:0/0 gid/egid:8/8, parent /usr/sbin/exim4[exim4:14773] uid/euid:0/0 gid/egid:102/102
Oct 6 10:18:47 host2 kernel: grsec: From 192.168.191.13: (root:U:/usr/sbin/exim4) change to uid 5007 denied for /usr/sbin/exim4[exim4:14777] uid/euid:0/0 gid/egid:8/8, parent /usr/sbin/exim4[exim4:14776] uid/euid:0/0 gid/egid:102/102

here is my policy config for subject /usr/bin/exim4 for role root
Code: Select all
subject /usr/sbin/exim4 o {
user_transition_allow Debian-exim

        /                               h
        /etc                            h
        /etc/aliases                    r
        /etc/mtab                       r
        /etc/resolv.conf                r
        /proc                           h
        /proc/stat                      r
        /proc/sys/kernel/ngroups_max    r
        /usr                            h
        /usr/share/zoneinfo             r
        /var                            h
        /var/lib/exim4/config.autogenerated     r
        /var/log/exim4/mainlog          a
        /var/run/nscd/socket            rw
        /var/log/exim4/paniclog         a
        /var/spool/exim4                rwc
        /var/tmp
        /var/mail                       rwcd
        -CAP_ALL
        +CAP_CHOWN
        +CAP_FOWNER
        +CAP_SETUID
        +CAP_SETGID
        +CAP_DAC_OVERRIDE
        bind 0.0.0.0/32:25 stream dgram ip tcp
}


I had set
+CAP_SETUID
+CAP_SETGID

so , what else is wrong ?
remote
 
Posts: 3
Joined: Sat Oct 04, 2008 5:29 am

Return to grsecurity support