As per $summary: In grsec.log I see various denied mmap. Jul 28 09:11:19 ks313333 kernel: grsec: denied RWX mmap of <anonymous mapping> by /usr/sbin/clamd[clamd:5326] uid/euid:102/102 gid/egid:197/197, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 Portage 2.1.10.3 (hardened/linux/amd64, gcc-4.4.5, glibc-2.12.2-r0, 2.6.39-hardened-r6-xxxx-std-ipv6-64 x86_64) ================================================================= System uname: Linux-2.6.39-hardened-r6-xxxx-std-ipv6-64-x86_64-Intel-R-_Core-TM-_i7_CPU_950_@_3.07GHz-with-gentoo-2.0.3 Timestamp of tree: Tue, 26 Jul 2011 09:30:01 +0000 app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.1-r1 dev-util/cmake: 2.8.4-r1 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.8.3-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.5 sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.82 sys-kernel/linux-headers: 2.6.36.1 (virtual/os-headers) sys-libs/glibc: 2.12.2 Repositories: gentoo ineluctable-overlay x-portage x-layman ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -g0 -w" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/bind /var/lib/redmine/config /var/qmail/alias /var/qmail/control /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /var/lib/redmine/config/locales /var/lib/redmine/config/settings.yml" CXXFLAGS="-march=native -O2 -g0 -w" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner --with-bdeps y --deep 45 --backtrack=45 --complete-graph y" FEATURES="assume-digests binpkg-logs collision-protect distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox" FFLAGS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" INSTALL_MASK=" /usr/lib*/*.a /usr/lib/lib[0-9]*.la /usr/lib/lib[a-k]*.la /usr/lib/lib[m-z]*.la /usr/lib/libl[0-9]*.la /usr/lib/libl[a-s]*.la /usr/lib/libl[u-z]*.la /usr/lib/liblt[0-9]*.la /usr/lib/liblt[a-c]*.la /usr/lib/liblt[e-z]*.la /usr/lib/libltd[0-9]*.la /usr/lib/libltd[a-k]*.la /usr/lib/libltd[m-z]*.la /usr/lib/libltdl[0-9]*.la /usr/lib/libltdl[a-z]*.la" LANG="en_GB.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-z,now -Wl,--hash-style=gnu" LINGUAS="en en_GB ru uk it de fr fi" MAKEOPTS="-j2 -s" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/ineluctable-overlay /usr/local/portage /var/lib/layman" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl acpi amd64 apache2 bzip2 caps chroot cli cracklib crypt dri fam fftw gpm hardened iconv idn imap ipv6 justify maildir mmap mmx modules multilib mysql network-cron nocxx nptl nptlonly openmp pam pcre pppd python2 qmail qmail-spp session spamassassin sse sse2 ssl symlink sysfs threads truetype unicode urandom utf8 uuid vpopmail xattr xml xorg zlib" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias auth_digest reqtimeout status" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB ru uk it de fr fi" NGINX_MODULES_HTTP="auth_basic charset empty_gif fastcgi gzip memcached proxy referer rewrite scgi split_clients ssi upstream_ip_hash userid uwsgi access" NGINX_MODULES_MAIL="imap smtp" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
clamd use JIT compilation for rules in startup time; Also, clamd verify PAX kernel in debug mode, i.e: clamd --debug LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect' access. Run 'paxctl -cm <executable>' Please add call paxctl in ebuild in hardened profile. Also see http://git.clamav.net/gitweb?p=clamav-bytecode-compiler.git;a=patch;h=2706b400bf598278ec6e0817c1b544bfad3d28c2
these binares should be PAX'ed: /usr/sbin/clamd /usr/bin/clamscan /usr/bin/clamconf
Se bug #326199 comment 13
Since this bug is still open... Here's what happens when I start clamd: # /etc/init.d/clamd start LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted * Starting clamd ... LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect' access. Run 'paxctl -cm <executable>' Certainly this looks bad (and the suggestion is wrong these days, it should be to use paxctl-ng). If Anthony's comment on bug #326199 is true, can we at least hide the warnings? Maybe upstream would be willing to change the message to say something like "Falling back to interpreted bytecode..." or whatever. If there's a one-to-one correspondence between the "RWX mapping denied" warnings and the JIT fallback, the former shouldn't be displayed if the latter is. It would make this a lot less frightening.
is this still happening with current (stable/unstable) version? putting RESOLVED-NEEDINFO please just re-open if it is still a problem.
