PAX: From xxxxxx: execution attempt in: <anonymous mapping>, 331cd17000-331dba6000 331cd17000 PAX: terminating task: /usr/bin/snort(snort):5788, uid/euid: 0/0, PC: 000000331d8caf90, SP: 000003ba6f74a138 PAX: bytes at PC: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PAX: bytes at SP-8: 000000331db06670 0000034cc840e16d 0000000000000000 000000331db06770 000003ba6f74a190 0000034cc840e08a 000000331db067d0 000000331ca8bf46 000000051db06810 000003ba6f74a1c0 0000000000000000 grsec: From 62.231.86.211: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/snort[snort:5788] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:12140] uid/euid:0/0 gid/egid:0/0
I take it you already know how to use paxctl to disable protections on snort as needed, but you are reporting violation in case somebody is up to fixing snort?
(In reply to comment #1) > I take it you already know how to use paxctl to disable protections on snort as > needed, but you are reporting violation in case somebody is up to fixing snort? > yes, with MPROTECT disabled is working.
I do not know a lot about PAX, but this looks like an issue that would need to be reported upstream to the Sourcefire folks. Am I correct in assuming this isn't something I can address in the ebuild?
it could be done in the ebuild , on postinstall command paxctl -m /usr/bin/snort disables mprotect, but I'm not sure this is the solution, but just a workaround.
Yea I don't think that is a "fix" and it would require artificially DEPEND'ing on pax-utils in the ebuild, which is really an option. Can you post the output from "emerge --info" and "emerge -vp snort" to this bug? I'll open a bug upstream with the SF folks and point them to this bug posting.
The above should say "which is really NOT an option." (In reply to comment #5) > Yea I don't think that is a "fix" and it would require artificially DEPEND'ing > on pax-utils in the ebuild, which is really an option. > > Can you post the output from "emerge --info" and "emerge -vp snort" to this > bug? > > I'll open a bug upstream with the SF folks and point them to this bug posting. >
Portage 2.1.8.3 (hardened/linux/amd64/no-multilib, gcc-4.3.4, glibc-2.11.2-r3, 2.6.32-hardened-r9-oxxie x86_64) ================================================================= System uname: Linux-2.6.32-hardened-r9-oxxie-x86_64-Intel-R-_Pentium-R-_D_CPU_3.40GHz-with-gentoo-1.12.13 Timestamp of tree: Sat, 22 Jan 2011 21:45:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.0_p35 dev-lang/python: 2.6.4 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.63-r1 sys-devel/automake: 1.9.6-r2, 1.10.2, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b sys-devel/make: 3.81 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -pipe -fomit-frame-pointer -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=nocona -O2 -pipe -fomit-frame-pointer -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests ccache distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X509 acl acpi amd64 apache2 avi bzip2 cairo cdr clamav clamd cracklib crypt cxx dbus dcc directfb diskio dovecot-sasl dvd dvdread extensions fam fbcon ftp gdbm gpm hal hardened hpn iconv imap ipv6 justify libg++ maildir mime mmx modules mppe-mppc mudflap mysql mzscheme ncurses nls nptl nptlonly openmp opensslcrypt pam pdflib pic postfix python pyzor razor readline sendfile session sguil shaper sharedmem snmp sse sse2 ssl subject-rewrite sysfs tools udev unicode urandom xml zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS emerge -vp snort These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] net-analyzer/snort-2.9.0.3 USE="active-response decoder-preprocessor-rules dynamicplugin flexresp3 ipv6 linux-smp-stats mysql perfprofiling react threads zlib -aruba -debug -gre -inline-init-failopen -mpls -normalizer* -odbc -postgres -ppm -prelude -reload-error-restart (-selinux) -static -targetbased" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB
can't reproduce the problem to produce a core dump