1 |
Hi |
2 |
|
3 |
Stefan SF wrote: |
4 |
> Hi, |
5 |
> I've two servers running with hardened-sources and GRSecurity + PAX |
6 |
> enabled and anything went fine. Two other servers running |
7 |
> hardened-sources with SELinux and GRSecurity + PAX I always get PAX |
8 |
> errors when I want to install something through emerge. |
9 |
> PAX: bytes at PC: <invalid address>. |
10 |
> PAX: bytes at SP: 26c5598c 26c6ccd1 26c6c849 5af6b3b4 26c5597d 6f72702f |
11 |
> 6f6d2f63 73746e75 00000000 00000000 00000000 00000000 00000000 00000000 |
12 |
> 00000000 00000000 00000000 00000000 00000000 00000000 |
13 |
> PAX: execution attempt in: <NULL>, 00000000-00000000 00000000 |
14 |
> PAX: terminating task: /bin/chown(chown):22429, uid/euid: 0/0, PC: |
15 |
> 00000000, SP: 5a2056b8 |
16 |
|
17 |
you have 2 possibilities here |
18 |
|
19 |
either use |
20 |
>=sys-apps/checkpolicy-1.22 |
21 |
>=sys-apps/policycoreutils-1.22 |
22 |
>=sys-libs/libsepol-1.4 |
23 |
>=sys-libs/libselinux-1.22 |
24 |
in your /etc/portage/package.mask, and downgrade these packages |
25 |
you'll have to |
26 |
USE='-selinux' emerge libselinux libsepol checkpolicy policycoreutils |
27 |
make -C /etc/security/selinux/src/policy clean reload relabel |
28 |
|
29 |
|
30 |
or (untested) |
31 |
emerge sandbox |
32 |
|
33 |
grsec+PAX+selinux is expected to behave well after any of the above. |
34 |
I used the first approach on my systems, but I got no time yet to test the second. |
35 |
|
36 |
bye, |
37 |
peter |
38 |
|
39 |
|
40 |
> The kernel options for GRSecurity + PAX are exactly the same on all 4 |
41 |
> machines. If I try to chown and or chmod something on a SELinux machine |
42 |
> directly through the root user anything went fine but an emerge process |
43 |
> will always be derminated by PAX. |
44 |
> |
45 |
>>>>Source unpacked. |
46 |
> |
47 |
> /usr/lib/portage/bin/ebuild.sh: line 1882: 24732 Killed |
48 |
> chown portage:portage "${T}/environment" >&/dev/null |
49 |
> /usr/lib/portage/bin/ebuild.sh: line 1882: 2229 Killed |
50 |
> chmod g+w "${T}/environment" >&/dev/null |
51 |
> /usr/lib/portage/bin/ebuild.sh: line 1882: 20815 Killed |
52 |
> chown portage:portage "${T}/environment" >&/dev/null |
53 |
> /usr/lib/portage/bin/ebuild.sh: line 1882: 8785 Killed |
54 |
> chmod g+w "${T}/environment" >&/dev/null |
55 |
> |
56 |
>>>>Test phase [not enabled]: app-misc/unisysmon-0.2.2 |
57 |
> |
58 |
> This happens with any ebuild I've tried in the last two weeks. From |
59 |
> coreutils up to tar. |
60 |
> Are there any known problems, suggestions? |
61 |
> -Stefan |
62 |
|
63 |
|
64 |
-- |
65 |
petre rodan |
66 |
<kaiowas@g.o> |
67 |
Developer, |
68 |
Hardened Gentoo Linux |