Hi, after reading the acl docs for several times already, and trying
to implement some acls setups,i don't understand the behaviour of grsec.
I have this setup:
/ {
/ r
/etc rx
...
}
/etc {
/etc/grsec h
}
but then executing 'gradm -E' i get the error:
Viewing access is allowed to /etc/grsec, the directory which holds ACL and ACL password information.
Why, only if i put "/etc/grsec h" in / subject it works. Is /etc subject ignored?
The same then i change the /etc subject to:
/etc o {
/ h
/etc rx
/etc/grsec h
}
another setup:
/ {
/ r
/etc rx
...
}
/etc {
/etc rwxo
}
then grsec is enabled, i can't write into /etc. again seems like /etc subject is just ignored by grsec. Why?
Please help me out.
Thanks a lot
acl
3 posts
• Page 1 of 1
by piavka » Thu Oct 31, 2002 11:38 am
I think i figured out what i was doing wrong.
If some executable (say /usr/bin/pico) tries to write into /etc
it will fail because it does not inherit the /etc subject but only /.
If the executalbe was located under /etc line /etc/lala/pico
then it could write into /etc if this is the setup:
/ {
/ r
/etc rx
...
}
/etc {
/etc rwxo
}
If some executable (say /usr/bin/pico) tries to write into /etc
it will fail because it does not inherit the /etc subject but only /.
If the executalbe was located under /etc line /etc/lala/pico
then it could write into /etc if this is the setup:
/ {
/ r
/etc rx
...
}
/etc {
/etc rwxo
}
- piavka
- Posts: 20
- Joined: Tue Jul 02, 2002 10:03 am
by spender » Fri Nov 01, 2002 8:31 am
i don't think you understand the ideas of subjects and objects. When you create a subject acl, it only gets applied to executed binaries. So putting a subject ACL on /etc won't do anything unless you've got a binary in /etc. Objects are the files that the process works with.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
3 posts
• Page 1 of 1