Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

hardened-sources-3.2.6 problems

 

 

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


atoth at atoth

Feb 24, 2012, 1:32 AM

Post #1 of 4 (716 views)
Permalink
hardened-sources-3.2.6 problems

I'm using grsecurity and I've experienced problems with
hardened-sources-3.2.6 recently. I compiled and installed the kernel the
day before.
It seems to me the kernel incorrectly detects the UID of processes, which
is painful for some daemons. That caused denials because of the RBAC
system. Booting hardened-sources-3.2.5 solves the problem.
I essentially experienced the problem in conjunction to the mail system. I
use Sendmail as an MTA and Dovecot for IMAP. The daemons couldn't perform
their tasks, because the kernel thought they try to do everything as root.
Even after change to another user (mail or dovecot). It seems the kernel
incorrectly recognized the change of the UID.
I suspect the problem is related to the security features of the kernel.
But I thought it would be good to inform the list about this.

Regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057


pageexec at freemail

Feb 24, 2012, 4:36 AM

Post #2 of 4 (685 views)
Permalink
Re: hardened-sources-3.2.6 problems [In reply to]

On 24 Feb 2012 at 10:32, "Tth Attila" wrote:
> Even after change to another user (mail or dovecot). It seems the kernel
> incorrectly recognized the change of the UID.

wasn't that already fixed with:

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender [at] grsecurity>
Date: Mon Feb 20 09:17:57 2012 -0500

Fix wrong logic on capability checks for switching roles, broke policies
Thanks to Richard Kojedzinszky for reporting


basile at opensource

Feb 25, 2012, 11:40 AM

Post #3 of 4 (683 views)
Permalink
Re: hardened-sources-3.2.6 problems [In reply to]

On 02/24/2012 07:36 AM, PaX Team wrote:
> On 24 Feb 2012 at 10:32, "Tth Attila" wrote:
>> Even after change to another user (mail or dovecot). It seems the kernel
>> incorrectly recognized the change of the UID.
>
> wasn't that already fixed with:
>
> commit 4fd554e3a097b22c5049fcdc423897477deff5ef
> Author: Brad Spengler<spender [at] grsecurity>
> Date: Mon Feb 20 09:17:57 2012 -0500
>
> Fix wrong logic on capability checks for switching roles, broke policies
> Thanks to Richard Kojedzinszky for reporting
>

I'm testing 3.2.7 right now. I'll have it up soon.

@pipacs, I've had reports of 3.2.2-r1 kernels having problems booting.
idl0r gave me a bzImage which will not boot in qemu. Using the same
kernel config, 3.2.7 *will* boot. The problem occurs shortly after
decompression but before any early printk. Is this a known issue that
has been fixed or should I continue to try to isolate the problem? As I
said it seems to be gone in later kernels.

our hardened-sources-3.2.2-r1 = grsecurity-2.2.2-3.2.2-201201272014

the 3.2.7 which I will put up in a bit is the very latest which came out
today.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197


pageexec at freemail

Feb 25, 2012, 12:18 PM

Post #4 of 4 (681 views)
Permalink
Re: hardened-sources-3.2.6 problems [In reply to]

On 25 Feb 2012 at 14:40, Anthony G. Basile wrote:

> @pipacs, I've had reports of 3.2.2-r1 kernels having problems booting.
> idl0r gave me a bzImage which will not boot in qemu. Using the same
> kernel config, 3.2.7 *will* boot. The problem occurs shortly after
> decompression but before any early printk. Is this a known issue that
> has been fixed or should I continue to try to isolate the problem? As I
> said it seems to be gone in later kernels.

hmm, i don't recall such issues but if you can get me a bzImage and vmlinux
i can take a look and tell you what it is.

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.