1 |
If you are using Selinux, try adding "auth sufficient pam_rootok.so " to the first line in in run_init file in pam.d. |
2 |
|
3 |
|
4 |
|
5 |
----- Original Message ----- |
6 |
From: ""Tóth Attila"" <atoth@××××××××××.hu> |
7 |
To: gentoo-hardened@l.g.o |
8 |
Cc: |
9 |
Sent: Sunday, September 18, 2011 7:52 AM |
10 |
Subject: [gentoo-hardened] elog logrotate portage problems |
11 |
|
12 |
Some weeks before logrotate started to complain on elog permissions. |
13 |
I've added the necessary su lines to the configuration. That was also |
14 |
officially introduced in an updated ebuild later. |
15 |
I made an effort to accommodate the grsec ruleset to take care of the |
16 |
situation. I let logrotate to su, and inserted a portage role. |
17 |
In this portage role I gave the capabilities to chmod and several binaries |
18 |
can now write to /var/log/portage. |
19 |
However an error message still persists and logrotate still cannot do its |
20 |
job properly: |
21 |
"error: error setting owner of /var/log/portage/elog/summary.log.1.gz: |
22 |
Operation not permitted" |
23 |
That's what I see in my mailbox. |
24 |
|
25 |
The problem is that I see no grsec denial lines in grsec log. I suspected, |
26 |
that I've hidden /var/log for some binaries silently. But that's not the |
27 |
case. I've tried to run logrotate while I've switched on learning mode. |
28 |
But I couldn't figure out what is missing from the policy. |
29 |
|
30 |
So any of you might know what binary tries to change the ownership of elog |
31 |
running in the name of which user? |
32 |
|
33 |
Thanks for any hints: |
34 |
Dw. |
35 |
-- |
36 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
37 |
Attila Toth MD, Radiologist, +36-20-825-8057 |