[grsec] 2 connect questions

[Mark Moseley]

Pardon the possibly newbie question (though not found in my perusal of
archives).

I'm writing some ACLs and ran into a couple things:

1) I saw in the archives from a while back that at the time there was
no way to negate the "connect" option. Is that still true? I'm looking
to do an ACL that allows connections to external IPs but not to
internal hosts. Obviously I can do this too in iptables but I trust
grsec more than iptables (well, not that i don't trust
iptables/netfilter, but less likely that someone will get around the
connect ACL than someone figuring out a way to sneak in a iptables
rule)

2) Is there a separate syntax for connect'ing to domain sockets? I'm
getting errors in message saying:

denied connect() to the unix domain socket /dev/log by
/usr/bin/crontab[crontab:8319]

/usr/bin/crontab has 'w' permission to /dev/log. I also see this same
message when trying to restart syslogd as root (but not in 'admin'
mode). I compiled the kernel with socket restrictions and specified
the GID as 15000 (which is the GID in that crontab message but
definitely not the GID of root, so I'm not sure if the socket
restrictions are doing this or if I need an ACL.

Please let me know if any other details would be helpful (the policy
file, .config entries, etc).

Thanks!