1 |
> ...SKIP...- part1 before disabling grsec2 |
2 |
> grsec: attempted resource overstep by requesting 1024 for RLIMIT_NOFILE |
3 |
> against limit 1024 by /usr/bin/postgres[postmaster:28855] uid/euid:70/70 |
4 |
> gid/egid:70/70, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 |
5 |
|
6 |
i guess this one is not related to artsd, but here's what i know about |
7 |
it anyway: for some reason postgresql tries to determine the max fd |
8 |
limit by simply duping an fd until it receives an error, that will then |
9 |
run into grsec rlimit enforcement and the message above. i read on one |
10 |
of their mailing lists a while ago that this was supposed to be fixed: |
11 |
|
12 |
http://groups.google.com/groups?threadm=c8abh7%245ap%241%40FreeBSD.csie.NCTU.edu.tw |
13 |
|
14 |
> ...SKIP... - part2 after disabling grsec2 |
15 |
> grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE |
16 |
> against limit 0 by |
17 |
> /var/tmp/portage/arts-1.3.0/work/arts-1.3.0/mcopidl/.libs/lt-mcopidl[lt-mcopidl:4517] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:4516] uid/euid:0/0 gid/egid:0/0 |
18 |
> grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE |
19 |
> against limit 0 by |
20 |
> /var/tmp/portage/arts-1.3.0/work/arts-1.3.0/mcopidl/.libs/lt-mcopidl[lt-mcopidl:4526] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:4516] uid/euid:0/0 gid/egid:0/0 |
21 |
> ...END... |
22 |
|
23 |
this is just a report that lt-mcopidl crashed or was killed, it doesn't |
24 |
tell us the reason. did you get PaX kill messages beforehand (in which |
25 |
case it would be a runtime code generation issue)? if not, then it's a |
26 |
'normal' crash, needs debugging. for this you have to enable coredumps |
27 |
('ulimit -c unlimited' in your shell before you run emerge) then look at |
28 |
the coredump in gdb and post some info like 'bt', 'info reg', 'x/8i $eip', |
29 |
'x/16x $esp', etc. |
30 |
|
31 |
> Just a non-related question: could i use the 'default' spec GCC file |
32 |
> (change it manually) to compile something and after that restore the |
33 |
> default (hardened.spec)? |
34 |
|
35 |
yes you can, but normally you can just set CFLAGS to disable ssp/pie if |
36 |
they're causing problems. there're already safeguards against some flag |
37 |
combinations that disable one or the other, if some case is not covered |
38 |
in the specs then that's a bug ;-). |
39 |
|
40 |
|
41 |
|
42 |
-- |
43 |
gentoo-hardened@g.o mailing list |