Hello guys,
generally speaking, I want to protect most of the daemons running on a system, from syslog through apache, squid etc., with the p flag, so that it can only be killed with special privileges. However, this presents a serious problem for logrotate post-rotate scripts, which want to HUP (or sometimes outright restart) the logging processes after rotating their logfiles. Grsecurity denies this access, so the processes don't get new file handles and discontinue logging. Obviously, I don't want that, but I still want to protect my processes from casually being signaled. I'd like to exempt specific subjects from the "p" rule, without assigning them to a role with admin privileges. I haven't been able to deduce a method of doing this from the documentation I have found. Is this possible? If not, any chance this could be implemented in a future version? It would seem to me that this is a pretty common use case.
Thanks in advance!
Selectively overriding "p" subject flag
2 posts
• Page 1 of 1
Selectively overriding "p" subject flag
by tty » Thu Apr 28, 2011 6:58 am
- tty
- Posts: 1
- Joined: Thu Apr 28, 2011 6:51 am
Re: Selectively overriding "p" subject flag
by spender » Fri Apr 29, 2011 6:07 pm
If you give logrotate the 'k' subject mode, it will be able to kill protected processes.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
2 posts
• Page 1 of 1