Selectively overriding "p" subject flag
Posted: Thu Apr 28, 2011 6:58 amHello guys,
generally speaking, I want to protect most of the daemons running on a system, from syslog through apache, squid etc., with the p flag, so that it can only be killed with special privileges. However, this presents a serious problem for logrotate post-rotate scripts, which want to HUP (or sometimes outright restart) the logging processes after rotating their logfiles. Grsecurity denies this access, so the processes don't get new file handles and discontinue logging. Obviously, I don't want that, but I still want to protect my processes from casually being signaled. I'd like to exempt specific subjects from the "p" rule, without assigning them to a role with admin privileges. I haven't been able to deduce a method of doing this from the documentation I have found. Is this possible? If not, any chance this could be implemented in a future version? It would seem to me that this is a pretty common use case.
Thanks in advance!
generally speaking, I want to protect most of the daemons running on a system, from syslog through apache, squid etc., with the p flag, so that it can only be killed with special privileges. However, this presents a serious problem for logrotate post-rotate scripts, which want to HUP (or sometimes outright restart) the logging processes after rotating their logfiles. Grsecurity denies this access, so the processes don't get new file handles and discontinue logging. Obviously, I don't want that, but I still want to protect my processes from casually being signaled. I'd like to exempt specific subjects from the "p" rule, without assigning them to a role with admin privileges. I haven't been able to deduce a method of doing this from the documentation I have found. Is this possible? If not, any chance this could be implemented in a future version? It would seem to me that this is a pretty common use case.
Thanks in advance!