Summary: | CONFIG_GRKERNSEC_PROC (4.1.7-hardened-r1) prevents that polkitd (polkit-0.113) work porperly | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Gerold Schellstede <gentoo> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | alexanderyt |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=472098 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Gerold Schellstede
2015-11-18 12:44:06 UTC
(In reply to Gerold Schellstede from comment #0) > > Third try was nearly the same as the second try but with "polkitd" in group > 12 --> works perfectly! I thought I set it to group 10, but okay. Check CONFIG_GRKERNSEC_PROC_GID. > > This is the same workaround as mentioned in bug 472098 (comment 20). Related > question: Is this a bug or a feature? > Yes, this is a known issue. I'm not sure where we can document this. If you can suggest something, I could write something. (In reply to Anthony Basile from comment #1) > (In reply to Gerold Schellstede from comment #0) > > > > > Third try was nearly the same as the second try but with "polkitd" in group > > 12 --> works perfectly! > > I thought I set it to group 10, but okay. Check CONFIG_GRKERNSEC_PROC_GID. > > I does not see the point, because the trusted group can be freely chosen during kernel configuration. I set it to 12, but every other unused value is also possible. Putting polkitd into this group is doing the trick. > > > > This is the same workaround as mentioned in bug 472098 (comment 20). Related > > question: Is this a bug or a feature? > > > > Yes, this is a known issue. I'm not sure where we can document this. If > you can suggest something, I could write something. We can document it at as bug of polkit together with GrSecurity. I think it would be useful to file a new bug which states the bug together with the workaround. Then one can mark the systemd-related bug and my xfce-related bug as duplicates. Then the link of the bugtracker-entry should be mentioned at "https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart --> File System Protections" However, I am not sure if it is really a bug. Polkitd needs more rights than CONFIG_GRKERNSEC_PROC gives it, namely looking into /proc. But this is what "CONFIG_GRKERNSEC_PROC" is made for. Therefore the trusted group was introduced to allow its members to look still into /proc. Altogether the real problem seems to me that nobody knows that one has to introduce polkitd into the trusted group. If you agree with me I would suggest to close both bugs (the systemd-related and my xfce-related) and to make a short write up at "https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart --> File System Protections" to make clear that one has to introduce polkitd into the trusted group. Another approach could be that during the emerge of polkit portage looks into the kernel-config, and shows a failure if CONFIG_GRKERNSEC_PROC is set without a trusted group or introduces polkitd into the trusted group if its existing. |