| 1 |
Hi |
| 2 |
|
| 3 |
Stefan SF wrote: |
| 4 |
> Hi, |
| 5 |
> I've two servers running with hardened-sources and GRSecurity + PAX |
| 6 |
> enabled and anything went fine. Two other servers running |
| 7 |
> hardened-sources with SELinux and GRSecurity + PAX I always get PAX |
| 8 |
> errors when I want to install something through emerge. |
| 9 |
> PAX: bytes at PC: <invalid address>. |
| 10 |
> PAX: bytes at SP: 26c5598c 26c6ccd1 26c6c849 5af6b3b4 26c5597d 6f72702f |
| 11 |
> 6f6d2f63 73746e75 00000000 00000000 00000000 00000000 00000000 00000000 |
| 12 |
> 00000000 00000000 00000000 00000000 00000000 00000000 |
| 13 |
> PAX: execution attempt in: <NULL>, 00000000-00000000 00000000 |
| 14 |
> PAX: terminating task: /bin/chown(chown):22429, uid/euid: 0/0, PC: |
| 15 |
> 00000000, SP: 5a2056b8 |
| 16 |
|
| 17 |
you have 2 possibilities here |
| 18 |
|
| 19 |
either use |
| 20 |
>=sys-apps/checkpolicy-1.22 |
| 21 |
>=sys-apps/policycoreutils-1.22 |
| 22 |
>=sys-libs/libsepol-1.4 |
| 23 |
>=sys-libs/libselinux-1.22 |
| 24 |
in your /etc/portage/package.mask, and downgrade these packages |
| 25 |
you'll have to |
| 26 |
USE='-selinux' emerge libselinux libsepol checkpolicy policycoreutils |
| 27 |
make -C /etc/security/selinux/src/policy clean reload relabel |
| 28 |
|
| 29 |
|
| 30 |
or (untested) |
| 31 |
emerge sandbox |
| 32 |
|
| 33 |
grsec+PAX+selinux is expected to behave well after any of the above. |
| 34 |
I used the first approach on my systems, but I got no time yet to test the second. |
| 35 |
|
| 36 |
bye, |
| 37 |
peter |
| 38 |
|
| 39 |
|
| 40 |
> The kernel options for GRSecurity + PAX are exactly the same on all 4 |
| 41 |
> machines. If I try to chown and or chmod something on a SELinux machine |
| 42 |
> directly through the root user anything went fine but an emerge process |
| 43 |
> will always be derminated by PAX. |
| 44 |
> |
| 45 |
>>>>Source unpacked. |
| 46 |
> |
| 47 |
> /usr/lib/portage/bin/ebuild.sh: line 1882: 24732 Killed |
| 48 |
> chown portage:portage "${T}/environment" >&/dev/null |
| 49 |
> /usr/lib/portage/bin/ebuild.sh: line 1882: 2229 Killed |
| 50 |
> chmod g+w "${T}/environment" >&/dev/null |
| 51 |
> /usr/lib/portage/bin/ebuild.sh: line 1882: 20815 Killed |
| 52 |
> chown portage:portage "${T}/environment" >&/dev/null |
| 53 |
> /usr/lib/portage/bin/ebuild.sh: line 1882: 8785 Killed |
| 54 |
> chmod g+w "${T}/environment" >&/dev/null |
| 55 |
> |
| 56 |
>>>>Test phase [not enabled]: app-misc/unisysmon-0.2.2 |
| 57 |
> |
| 58 |
> This happens with any ebuild I've tried in the last two weeks. From |
| 59 |
> coreutils up to tar. |
| 60 |
> Are there any known problems, suggestions? |
| 61 |
> -Stefan |
| 62 |
|
| 63 |
|
| 64 |
-- |
| 65 |
petre rodan |
| 66 |
<kaiowas@g.o> |
| 67 |
Developer, |
| 68 |
Hardened Gentoo Linux |
Archives