grsecurity forums

I have problem with cron and symlink :

Nov 23 19:07:02 wakka grsec: From 10.0.0.6: (root:U:/bin/ln) denied symlink from 5557 to /var/spool/cron/lastrun/lock by /bin/ln[ln:29143] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:5557] uid/euid:0/0 gid/egid:0/0
Nov 23 19:07:02 wakka grsec: From 10.0.0.6: (root:U:/bin/ln) denied symlink from 5557 to /var/spool/cron/lastrun/lock by /bin/ln[ln:7763] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:5557] uid/euid:0/0 gid/egid:0/0
Nov 23 19:08:02 wakka grsec: From 10.0.0.6: (root:U:/bin/ln) denied symlink from 8796 to /var/spool/cron/lastrun/lock by /bin/ln[ln:3409] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:8796] uid/euid:0/0 gid/egid:0/0
Nov 23 19:08:02 wakka grsec: From 10.0.0.6: (root:U:/bin/ln) denied symlink from 8796 to /var/spool/cron/lastrun/lock by /bin/ln[ln:10018] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:8796] uid/euid:0/0 gid/egid:0/0


As you can see, there are no source (what is 8796?).
So I try to add
/var/spool/cron/lastrun/lock lrdwc
to /bin/ln subject but it doesn't work.
How to fix this?

Symlinking only requires create + write permission, not hardlink permission. I'll see if I can modify the symlink log so that it reports a full pathname for the filename pointed to by the symlink, but the modification you noted should have fixed the problem if it was placed in the right role/subject.

-Brad