I installed a fresh vanilla kernel with latest grsec patches (2.6.14.3). I configured the system like described in http://www.gentoo.org/proj/en/hardened/grsecurity.xml I rebooted the system. Pax is doing fine and the sysctl stuff seems to work correctly so far. Only gradm -E fails with the following error: amd64 grsec # gradm -F -L /etc/grsec/learning.log Duplicate object found for "/lib64" in role default, subject /sbin/gradm, on line 1 of (null). "/lib64" references the same object as the following object(s): /lib (due to symlinking/hardlinking) /lib64 (due to symlinking/hardlinking) specified on an earlier line.The RBAC system will not load until this error is fixed. Before I had renamed the policy file to policy.dist. So there is no active policy file, yet. And, yes, /lib is a symlink to /lib64. Same with every lib combination. So gradm should not worry about this and I think, this is a bug. I did not find answers in google, gentoo-forum nor here. Thanks in advance Christian Reproducible: Always Steps to Reproduce: 1. gradm -E 2. gradm -F -L /etc/grsec/learning.log 3. Actual Results: 1.: Duplicate object found for "/lib64" in role default, subject /sbin/gradm, on line 132 of /etc/grsec/policy. "/lib64" references the same object as the following object(s): /lib (due to symlinking/hardlinking) /lib64 (due to symlinking/hardlinking) specified on an earlier line.The RBAC system will not load until this error is fixed. 2.: Duplicate object found for "/lib64" in role default, subject /sbin/gradm, on line 1 of (null). "/lib64" references the same object as the following object(s): /lib (due to symlinking/hardlinking) /lib64 (due to symlinking/hardlinking) specified on an earlier line.The RBAC system will not load until this error is fixed. Gentoo Base System version 1.6.13 Portage 2.0.53 (default-linux/amd64/2005.1, gcc-4.0.2, glibc-2.3.6-r1, 2.6.14.3-grsec x86_64) ================================================================= System uname: 2.6.14.3-grsec x86_64 AMD Athlon(tm) 64 Processor 3200+ ccache version 2.4 [enabled] dev-lang/python: 2.4.2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r1 sys-devel/libtool: 1.5.20-r1 virtual/os-headers: 2.6.11-r3 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="" ALSA_CARDS="intel8x0 emu10k1" ANT_HOME="/usr/share/ant-core" ARCH="amd64" AUTOCLEAN="yes" BASH_ENV="/etc/spork/is/not/valid/profile.env" CBUILD="x86_64-pc-linux-gnu" CCACHE_DIR="/var/tmp/.ccache_64" CCACHE_SIZE="2G" CDEFINE_amd64="__x86_64__" CDEFINE_x86="__i386__" CFLAGS="-O2 -march=athlon64 -pipe" CFLAGS_x86="-m32 -L/emul/linux/x86/lib -L/emul/linux/x86/usr/lib" CHOST="x86_64-pc-linux-gnu" CHOST_amd64="x86_64-pc-linux-gnu" CHOST_x86="i686-pc-linux-gnu" CLASSPATH="." CLEAN_DELAY="5" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib64/mozilla/defaults/pref /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/splash /etc/terminfo /etc/texmf/web2c /etc/env.d" CVS_RSH="ssh" CXXFLAGS="-O2 -march=athlon64 -pipe" DCCC_PATH="/usr/lib/distcc/bin" DEFAULT_ABI="amd64" DISPLAY=":0.0" DISTCC_DIR="/var/tmp/.distcc" DISTCC_LOG="" DISTCC_VERBOSE="0" DISTDIR="/usr/portage/distfiles" EDITOR="/usr/bin/vim" ELIBC="glibc" EMERGE_WARNING_DELAY="10" FEATURES="autoconfig ccache digest distlocks prelink sandbox sfperms strict" FETCHCOMMAND="/usr/bin/wget -t 5 --passive-ftp --no-check-certificate ${URI} -P ${DISTDIR}" FLTK_DOCDIR="/usr/share/doc/fltk-1.1.6/html" FRITZCAPI_CARDS="fcusb2" GCC_SPECS="" GDK_USE_XFT="1" GDM_LANG="de_DE.utf8" GENTOO_MIRRORS="http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://gentoo.inode.at/source/ ftp://ftp.easynet.nl/mirror/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo" GUILE_LOAD_PATH="/usr/share/guile/1.6" G_BROKEN_FILENAMES="1" HISTCONTROL="ignoredups:erasedups" HOME="/root" HOSTNAME="amd64" INFOPATH="/usr/share/info:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.16.1/info:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.0.2/info" JAVAC="/opt/blackdown-jdk-1.4.2.02/bin/javac" JAVA_HOME="/opt/blackdown-jdk-1.4.2.02" JDK_HOME="/opt/blackdown-jdk-1.4.2.02" KERNEL="linux" LADSPA_PATH="/usr/lib64/ladspa" LANG="de_DE.utf8" LC_ALL="de_DE.utf8" LDFLAGS_x86="-m elf_i386 -L/emul/linux/x86/lib -L/emul/linux/x86/usr/lib" LESS="-R -M --shift 5" LESSOPEN="|lesspipe.sh %s" LIBDIR_amd64="lib64" LIBDIR_x86="lib32" LINGUAS="de" LOGNAME="root" LS_COLORS="no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.mng=01;35:*.xcf=01;35:*.pcx=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.avi=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.mov=01;35:*.qt=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.pdf=00;32:*.ps=00;32:*.txt=00;32:*.patch=00;32:*.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.mp3=00;36:*.wav=00;36:*.mid=00;36:*.midi=00;36:*.au=00;36:*.ogg=00;36:*.flac=00;36:*.aac=00;36:" MAKEOPTS="-j3" MANPATH="/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.16.1/man:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.0.2/man::/opt/blackdown-jdk-1.4.2.02/man" MOZILLA_FIVE_HOME="/usr/lib64/mozilla" MULTILIB_ABIS="x86 amd64" MULTILIB_STRICT_DENY="64-bit.*shared object" MULTILIB_STRICT_DIRS="/lib /usr/lib /usr/kde/*/lib /usr/qt/*/lib /usr/X11R6/lib" MULTILIB_STRICT_EXEMPT="(perl5|gcc|gcc-lib|eclipse-3)" OLDPWD="/root" OPENGL_PROFILE="nvidia" PAGER="/usr/bin/less" PATH="/root/bin:/usr/lib/ccache/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.0.2:/opt/Acrobat7:/opt/blackdown-jdk-1.4.2.02/bin:/opt/blackdown-jdk-1.4.2.02/jre/bin" PKGDIR="/usr/portage/packages" PORTAGE_ARCHLIST="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 ppc-macos s390 sh sparc x86" PORTAGE_BINHOST_CHUNKSIZE="3000" PORTAGE_CALLER="emerge" PORTAGE_GID="250" PORTAGE_MASTER_PID="18223" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" PORT_LOGDIR="/var/log/portage" PRELINK_PATH="" PRELINK_PATH_MASK="/usr/lib/gstreamer-0.8:/lib/modules:/usr/lib64/locale:/usr/lib64/wine:/usr/lib64/valgrind:*.la:*.png:*.py:*.pl:*.pm:*.sh:*.xml:*.xslt:*.a:*.js:/usr/lib/klibc" PWD="/etc/grsec" PYTHONDOCS="/usr/share/doc/python-docs-2.4.2/html" PYTHONPATH="/usr/lib/portage/pym" QTDIR="/emul/linux/x86/usr/qt/2:/emul/linux/x86/usr/qt/3" RESUMECOMMAND="/usr/bin/wget -c -t 5 --passive-ftp --no-check-certificate ${URI} -P ${DISTDIR}" RPMDIR="/usr/portage/rpm" RSYNC_RETRIES="3" RSYNC_TIMEOUT="180" SANE_CONFIG_DIR="/etc/sane.d" SHELL="/bin/bash" SHLVL="1" SSH_AGENT_PID="3003" SSH_AUTH_SOCK="/tmp/ssh-obcTN32330/agent.32330" SYMLINK_LIB="yes" SYNC="rsync://rsync.gentoo.org/gentoo-portage" TERM="xterm" USE="amd64 X X509 a52 aac aalib acl acpi acpi4linux activefilter adns alsa apache2 audiofile avi bash-completion bcmath berkdb bigger-fonts bitmap-fonts bluetooth bonobo browserplugin bzip2 bzlib cairo caps cdb cddb cdparanoia cdr chroot client codecs crypt cscope css ctype cups dbm dbus dga dhcp directfb doc dts dvd dvdr dvdread dxr3 eds emboss encode esd ethereal exif expat extensions faac faad fam fame fax faxonly fbcon ffmpeg flac font-server foomaticdb freetype gd gdbm gif gimp gimpprint glitz glut gmp gnome gpm gstreamer gtk gtk2 gtkhtml guile hal hbci howl icq icu idn imagemagick imap imlib ipv6 javascript jbig jpeg jpeg2k junit lcd lcms ldap libcaca libclamav libwww lirc lm_sensors lzo lzw lzw-tiff mad maildir mailwrapper mbox mcal md5sum mhash mikmod mime ming mjpeg mng motif mozilla mp3 mpeg mpeg4 mppe-mppc mysql nas nautilus ncurses network nls no-old-linux nptl nptlonly nsplugin nvidia ogg oggvorbis opengl oss pam password pcntl pcre pdflib perl php pic png pnp posix postgres ppds python quicktime readline recode rtc ruby samba scanner sdl session sftplogging slang snmp sockets sox speex spell sqlite ssl subversion svg symlink tcltk tcpd tetex theora threads tiff tokenizer truetype truetype-fonts type1-fonts udev unicode usb userlocales vcd vim-with-x vorbis wmf wxwindows xine xml xml2 xmms xpm xprint xrandr xsl xv xvid zlib fritzcapi_cards_fcusb2 video_cards_nvidia linguas_de userland_GNU kernel_linux elibc_glibc" USER="root" USERLAND="GNU" USE_EXPAND="FRITZCAPI_CARDS FCDSL_CARDS VIDEO_CARDS DVB_CARDS INPUT_DEVICES LINGUAS USERLAND KERNEL ELIBC" VIDEO_CARDS="nvidia" XARGS="xargs -r" XAUTHORITY="/root/.xauthfyIN29" XINITRC="/etc/X11/xinit/xinitrc" _="/usr/bin/emerge" use_Mesa="no"
I need to update the gradm in portage later today.
nevermind there is already a gradm-2.1.7* in the tree. The error msg listed by gradm is pretty clear. It hates your half mulitlib setup. You need to edit the policy. Best to probably remove any /lib64 entries.
There are only two problems: 1.) I am already using the latest version of gradm from portage 2.) There are absolutely no /lib64 entries in my policy file and even changing them or commenting them completely out, the error still appears. So this is a problem with gradm itself.
Ok problems with a package sruntime unless the ebuild itself is at fault should be reported upstream. You may contact Brad Spengler <spender at grsecurity.net> or the grsec mailing list and describe your problem in detail. Attach/Offer your policy file as needed. Be sure to say your using the current gradm with matching kernel.
this is fixed upstream now
