1 |
В Tue, 17 Dec 2013 00:55:54 +0100 |
2 |
"Tóth Attila" <atoth@××××××××××.hu> пишет: |
3 |
|
4 |
> It turns out systemd is not compatible with CONFIG_GRKERNSEC_PROC. It has |
5 |
> been reported as freedesktop bug #65575. Of course if there would be a |
6 |
> specific group under which systemd performs its proc related activities, |
7 |
> that could be configured as the exception GID, but I can hardly imagine |
8 |
> that it is the case. Gentoo systemd wiki doesn't mention this point, |
9 |
> otherwise important for hardened users. Systemd dev stands his ground and |
10 |
> puts the period: nothing can be expected until grsecurity hits mainline. |
11 |
> That will obviously not happen. I understand the dev having no intentions |
12 |
> to support out-of-mainline features. Altering proc access significantly. |
13 |
> |
14 |
> Any of you have a workaround for systemd with grsec without completely |
15 |
> loosing proc restrictions? |
16 |
|
17 |
The workaround is simple: |
18 |
|
19 |
$ getent group procr |
20 |
procr:x:777:polkitd,... |
21 |
$ grep CONFIG_GRKERNSEC_PROC_GID /boot/config-3.11.9-hardened |
22 |
CONFIG_GRKERNSEC_PROC_GID=777 |
23 |
|
24 |
This issue was discussed in the following bug report: |
25 |
https://bugs.gentoo.org/show_bug.cgi?id=472098 |
26 |
(short summary: polkit[systemd] links with libsystemd-login.so which |
27 |
need access to "/proc/1") |
28 |
|
29 |
> |
30 |
> I'm trying real hard to be a shepherd. But this time I feel the urge - |
31 |
> again - to purge the remnants of the once so shiny GNOME from my systems. |
32 |
> |
33 |
> Any thoughts on this? Or rather a grsec proc config workaround? |
34 |
> |
35 |
> Thx: |
36 |
> Dw. |
37 |
|
38 |
-- |
39 |
Alexander Tsoy |