| 1 |
Dear Alexander, |
| 2 |
|
| 3 |
Thanks for pointing to this bug! |
| 4 |
|
| 5 |
I'll give another try to systemd. |
| 6 |
A duplicate of bug 472098 also contains important information: |
| 7 |
https://bugs.gentoo.org/show_bug.cgi?id=455938 |
| 8 |
According to this bug it's enough to add polkitd to the PROC_GID group. |
| 9 |
Now I know what was my problem with gdm-3.6! |
| 10 |
It's a pity I hadn't found this bug earlier. |
| 11 |
|
| 12 |
Sorry for the noise. I'll retry systemd transition. |
| 13 |
|
| 14 |
Thanks: |
| 15 |
Dw. |
| 16 |
-- |
| 17 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
| 18 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
| 19 |
|
| 20 |
2013.December 17.(K) 10:23 időpontban Alexander Tsoy ezt írta: |
| 21 |
> В Tue, 17 Dec 2013 00:55:54 +0100 |
| 22 |
> "Tóth Attila" <atoth@××××××××××.hu> пишет: |
| 23 |
> |
| 24 |
>> It turns out systemd is not compatible with CONFIG_GRKERNSEC_PROC. It |
| 25 |
>> has |
| 26 |
>> been reported as freedesktop bug #65575. Of course if there would be a |
| 27 |
>> specific group under which systemd performs its proc related activities, |
| 28 |
>> that could be configured as the exception GID, but I can hardly imagine |
| 29 |
>> that it is the case. Gentoo systemd wiki doesn't mention this point, |
| 30 |
>> otherwise important for hardened users. Systemd dev stands his ground |
| 31 |
>> and |
| 32 |
>> puts the period: nothing can be expected until grsecurity hits mainline. |
| 33 |
>> That will obviously not happen. I understand the dev having no |
| 34 |
>> intentions |
| 35 |
>> to support out-of-mainline features. Altering proc access significantly. |
| 36 |
>> |
| 37 |
>> Any of you have a workaround for systemd with grsec without completely |
| 38 |
>> loosing proc restrictions? |
| 39 |
> |
| 40 |
> The workaround is simple: |
| 41 |
> |
| 42 |
> $ getent group procr |
| 43 |
> procr:x:777:polkitd,... |
| 44 |
> $ grep CONFIG_GRKERNSEC_PROC_GID /boot/config-3.11.9-hardened |
| 45 |
> CONFIG_GRKERNSEC_PROC_GID=777 |
| 46 |
> |
| 47 |
> This issue was discussed in the following bug report: |
| 48 |
> https://bugs.gentoo.org/show_bug.cgi?id=472098 |
| 49 |
> (short summary: polkit[systemd] links with libsystemd-login.so which |
| 50 |
> need access to "/proc/1") |
| 51 |
> |
| 52 |
>> |
| 53 |
>> I'm trying real hard to be a shepherd. But this time I feel the urge - |
| 54 |
>> again - to purge the remnants of the once so shiny GNOME from my |
| 55 |
>> systems. |
| 56 |
>> |
| 57 |
>> Any thoughts on this? Or rather a grsec proc config workaround? |
| 58 |
>> |
| 59 |
>> Thx: |
| 60 |
>> Dw. |
| 61 |
> |
| 62 |
> -- |
| 63 |
> Alexander Tsoy |
| 64 |
> |
| 65 |
> |
Archives