1 |
Brant Williams asked for the Grsecurity _RBAC_ denial messages. |
2 |
|
3 |
Do you have Grsecurity RBAC enabled? Hardened Gentoo has several flavors: |
4 |
you can use either SELinux, RSBAC or Grsecurity (or Apparmor) for access |
5 |
control purposes. |
6 |
|
7 |
What access control mechanism do you use? Do you use Grsecurity? |
8 |
If you do: you should have some denial error messages in your system log. |
9 |
One exception for this if you use "h" option in your policy to suppress |
10 |
denial messages. You should remove it from the responsible location. |
11 |
Have you (ever) fine tuned your Grsec policy? If not: please see Grsec |
12 |
documentation and search for learning mode. |
13 |
|
14 |
If you have your grsec denials: you should incorporate the necessary |
15 |
rights in your policy for chronyd. |
16 |
|
17 |
Regards, |
18 |
Dw. |
19 |
-- |
20 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
21 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
22 |
|
23 |
On Hét, December 31, 2007 18:44, Peter Humphrey wrote: |
24 |
> On Monday 31 December 2007 16:39:30 brant williams wrote: |
25 |
> |
26 |
>> Can you paste the error you're referring to? |
27 |
> |
28 |
> Here goes (sorry if line wrapping spoils it), with my four comments: |
29 |
> |
30 |
> Dec 31 17:32:55 gate chronyd[23772]: chronyd exiting on signal # I'd |
31 |
> restarted it; no mention of file operations, note |
32 |
> Dec 31 17:32:55 gate chronyd[23855]: chronyd version 1.21 starting |
33 |
> Dec 31 17:32:55 gate chronyd[23855]: Could not open RTC file |
34 |
> /etc/chrony/chrony.rtc for reading # because it wasn't there |
35 |
> Dec 31 17:32:56 gate grsec: From 192.168.129.25: time set by |
36 |
> /usr/sbin/chronyd[chronyd:23855] uid/euid:0/0 gid/egid:0/0, parent |
37 |
> /usr/sbin/chronyd[chronyd:23854] uid/euid:0/0 gid/egid:0/0 # I was ssh'd |
38 |
> in from that IP address (this box is headless) |
39 |
> Dec 31 17:32:56 gate chronyd[23855]: Initial txc.tick=10000 txc.freq=0 |
40 |
> (0.00000000) txc.offset=0 => hz=100 shift_hz=7 |
41 |
> Dec 31 17:32:56 gate chronyd[23855]: set_config_hz=0 hz=100 shift_hz=7 |
42 |
> basic_freq_scale=1.28000000 nominal_tick=10000 slew_delta_tick=833 |
43 |
> max_tick_bias=1000 |
44 |
> Dec 31 17:32:56 gate chronyd[23855]: Linux kernel major=2 minor=6 patch=23 |
45 |
> Dec 31 17:32:56 gate chronyd[23855]: calculated_freq_scale=0.99902439 |
46 |
> freq_scale=0.99902439 |
47 |
> Dec 31 17:33:03 gate chronyd[23855]: No valid file coefficients, cannot |
48 |
> trim system time # I don't understand what that means |
49 |
> |
50 |
> So it looks as though chrony can set the system clock, but not write |
51 |
> /etc/chrony/chrony.rtc - but it has written /etc/chrony/chrony.drift! |
52 |
> |
53 |
> $ ls -ld /etc/chrony |
54 |
> drwxr-xr-x 2 root root 4096 2007-12-31 17:38 /etc/chrony |
55 |
> $ ls -l /etc/chrony |
56 |
> total 24 |
57 |
> -rw-r--r-- 1 root root 12395 2007-12-31 17:29 chrony.conf |
58 |
> -rw-r--r-- 1 root root 42 2007-12-31 17:39 chrony.drift |
59 |
> -rw-r--r-- 1 root root 1172 2007-12-31 17:31 chrony.keys |
60 |
> |
61 |
> I tried touching /etc/chrony/chrony.conf, but it remained empty. |
62 |
> |
63 |
> $ uname -a |
64 |
> Linux gate 2.6.23-hardened-r4-gr #4 Sun Dec 30 16:58:09 GMT 2007 i686 |
65 |
> Intel(R) Pentium(R) 4 CPU 2.00GHz GenuineIntel GNU/Linux |
66 |
> |
67 |
> I'm beginning to wonder whether chrony is capable of running on this box. |
68 |
> |
69 |
> -- |
70 |
> Rgds |
71 |
> Peter |
72 |
> -- |
73 |
> gentoo-hardened@g.o mailing list |
74 |
> |
75 |
|
76 |
|
77 |
-- |
78 |
gentoo-hardened@g.o mailing list |