| 1 |
If you are using Selinux, try adding "auth sufficient pam_rootok.so " to the first line in in run_init file in pam.d. |
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
----- Original Message ----- |
| 6 |
From: ""Tóth Attila"" <atoth@××××××××××.hu> |
| 7 |
To: gentoo-hardened@l.g.o |
| 8 |
Cc: |
| 9 |
Sent: Sunday, September 18, 2011 7:52 AM |
| 10 |
Subject: [gentoo-hardened] elog logrotate portage problems |
| 11 |
|
| 12 |
Some weeks before logrotate started to complain on elog permissions. |
| 13 |
I've added the necessary su lines to the configuration. That was also |
| 14 |
officially introduced in an updated ebuild later. |
| 15 |
I made an effort to accommodate the grsec ruleset to take care of the |
| 16 |
situation. I let logrotate to su, and inserted a portage role. |
| 17 |
In this portage role I gave the capabilities to chmod and several binaries |
| 18 |
can now write to /var/log/portage. |
| 19 |
However an error message still persists and logrotate still cannot do its |
| 20 |
job properly: |
| 21 |
"error: error setting owner of /var/log/portage/elog/summary.log.1.gz: |
| 22 |
Operation not permitted" |
| 23 |
That's what I see in my mailbox. |
| 24 |
|
| 25 |
The problem is that I see no grsec denial lines in grsec log. I suspected, |
| 26 |
that I've hidden /var/log for some binaries silently. But that's not the |
| 27 |
case. I've tried to run logrotate while I've switched on learning mode. |
| 28 |
But I couldn't figure out what is missing from the policy. |
| 29 |
|
| 30 |
So any of you might know what binary tries to change the ownership of elog |
| 31 |
running in the name of which user? |
| 32 |
|
| 33 |
Thanks for any hints: |
| 34 |
Dw. |
| 35 |
-- |
| 36 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
| 37 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
Archives