| 1 |
В Tue, 17 Dec 2013 00:55:54 +0100 |
| 2 |
"Tóth Attila" <atoth@××××××××××.hu> пишет: |
| 3 |
|
| 4 |
> It turns out systemd is not compatible with CONFIG_GRKERNSEC_PROC. It has |
| 5 |
> been reported as freedesktop bug #65575. Of course if there would be a |
| 6 |
> specific group under which systemd performs its proc related activities, |
| 7 |
> that could be configured as the exception GID, but I can hardly imagine |
| 8 |
> that it is the case. Gentoo systemd wiki doesn't mention this point, |
| 9 |
> otherwise important for hardened users. Systemd dev stands his ground and |
| 10 |
> puts the period: nothing can be expected until grsecurity hits mainline. |
| 11 |
> That will obviously not happen. I understand the dev having no intentions |
| 12 |
> to support out-of-mainline features. Altering proc access significantly. |
| 13 |
> |
| 14 |
> Any of you have a workaround for systemd with grsec without completely |
| 15 |
> loosing proc restrictions? |
| 16 |
|
| 17 |
The workaround is simple: |
| 18 |
|
| 19 |
$ getent group procr |
| 20 |
procr:x:777:polkitd,... |
| 21 |
$ grep CONFIG_GRKERNSEC_PROC_GID /boot/config-3.11.9-hardened |
| 22 |
CONFIG_GRKERNSEC_PROC_GID=777 |
| 23 |
|
| 24 |
This issue was discussed in the following bug report: |
| 25 |
https://bugs.gentoo.org/show_bug.cgi?id=472098 |
| 26 |
(short summary: polkit[systemd] links with libsystemd-login.so which |
| 27 |
need access to "/proc/1") |
| 28 |
|
| 29 |
> |
| 30 |
> I'm trying real hard to be a shepherd. But this time I feel the urge - |
| 31 |
> again - to purge the remnants of the once so shiny GNOME from my systems. |
| 32 |
> |
| 33 |
> Any thoughts on this? Or rather a grsec proc config workaround? |
| 34 |
> |
| 35 |
> Thx: |
| 36 |
> Dw. |
| 37 |
|
| 38 |
-- |
| 39 |
Alexander Tsoy |
Archives