As reported by Alex Efros at the tail end of bug 118188: --- I've just upgraded from -r3 to -r5. There one new option was added in -r5: GRKERNSEC_MODSTOP. I've enabled it and found small bug: disabling module (un)loading also automatically disable changing other grsec options. I've these two lines at bottom of /etc/sysctl.conf: kernel.grsecurity.disable_modules = 1 kernel.grsecurity.grsec_lock = 1 and after executing first line sysctl unable to execute second line. Here is what I see in console: home /proc/sys/kernel/grsecurity # cat disable_modules 1 home /proc/sys/kernel/grsecurity # cat grsec_lock 0 home /proc/sys/kernel/grsecurity # echo 0 > disable_modules home /proc/sys/kernel/grsecurity # cat disable_modules 1 home /proc/sys/kernel/grsecurity # echo 1 > grsec_lock home /proc/sys/kernel/grsecurity # cat grsec_lock 0 And here is what was added into log file while I run these commands: 2006-02-02_02:49:04.79450 kern.alert: grsec: denied modification of grsecurity sysctl value : disable_modules by /bin/bash[bash:29081] uid/euid:0/0 gid/egid:0/0, parent /bin/su[su:13200] uid/euid:0/0 gid/egid:0/0 2006-02-02_02:49:16.37100 kern.alert: grsec: denied modification of grsecurity sysctl value : grsec_lock by /bin/bash[bash:29081] uid/euid:0/0 gid/egid:0/0, parent /bin/su[su:13200] uid/euid:0/0 gid/egid:0/0 --- According to Alex and solar, both hardened-sources-2.6.14-r5 and hardened-sources-2.4.32-r2 are affected. As I understand it, we are currently waiting on upstream for further developments.
spender has a new patch (grsecurity-2.1.8-2.6.14.7-200602052251) which should address two things over the prior release: 1) Hopefully this bug (for which I shall attach an incremental patch here) 2) bug 99413 Alex, can you give this patch a try please?
Created attachment 79004 [details, diff] grsec-2.1.8-disable_modules-fix.patch
I've tested both patches (this and for bug 99413). This patch fixes bug. Patch for bug 99413 probably fixes bug too. Probably - because I have problem described in bug 99413 not on every reboot, so a couple of reboots without this issue don't make me 100% sure that bug 99413 fixed too.
(In reply to comment #3) > I've tested both patches (this and for bug 99413). > > This patch fixes bug. Good, thanks for testing :) As for #99413 please make any observations within the context of the bug itself.
Fixed in hardened-sources-2.6.14-r6 (bug 121925) - closing.
Hmm, actually that was a bit hasty - as far as I know this still affects 2.4. Re-opening and assigning to solar to determine the bug's fate.
Unless somebody is asking for a fix. I'm more likely to wait for 2.1.9
This should be fixed now. If not please report it to the grsec mailing list.