From: Georg Glas (glas_at_hollomey.com)
Date: Thu 17 Jul 2003 - 11:16:55 BST
Am Donnerstag, 17. Juli 2003 09:00 schrieben Sie:
> Well, grsec and ctx are working together, you can also select them both.
> I've choosen the mutual exclusion some time ago for WOLK3 time. The only
> exception which does not work is the ACL subsystem which conflicts with
> CTX. You cannot disable the ACL subsystem once if its started if CTX is
> compiled into the kernel. We did not figure out why yet.
i´ve seen this too in wolk, but there is a very easy but ugly workaround, yust
copy /sbin/gradm to /usr/sbin/gradm.
/usr/sbin/grsec has the permissions to access /proc/grsec, and can be used for
disabling grsec (enable it via /sbin/grsec) .. that way you can workaround
the broken standard rules acl ... wich gradm compiles on top of the
/etc/grsec/acl (so if u put acls for /sbin/gradm in there they dont work) ..
of course the acl for vservers work with the path used on the root server (eg
/vserver/<vservername>/bin/ls) so it would be very fine to have some kinde of
regexp or wildcard in the acl /vserver/*/bin/ls but this is not implemented
yet and prop wont be in future)
<promoption>i love wolk</promotion>
-- mfg. Georg Glas Hollomey Consultants GmbH phone: +4331681139362 fax: +433168113934