I've tried to bump gradm and hardened-sources to the most recent version (gradm-2.9.201202232055, hardened-sources-3.2.7, there was a UID change detection problem in hardened-sources-3.2.6). Upon booting the system the policy gets activated automatically. If incompatible versions of gradm and grsecurity were installed on the system, the automatic policy activation failed and I could take action before reboot. If I use gradm-2.9.201202232055 and hardened-sources-3.2.7, I cannot authenticate as an admin after reboot, because I get the "incompatible versions" error message. However the policy is active so I have to reboot with another kernel to be able to fix the system. Is it an intended behavior to prevent leaving a system open inadvertently in newer kernels? If I boot hardened-sources-3.2.5 with gradm-2.9.201202232055, it won't let me authenticate as an admin because of "incompatible versions", but the policy won't be activated, either. Reproducible: Always Steps to Reproduce: 1. emerge sys-apps/gradm-2.9.201202232055 2. emerge sys-kernel/hardened-sources-3.2.7 3. try to authenticate and check if the policy is activated or not
The complete error message says: "You are using incompatible versions of gradm and grsecurity. Please update both versions to the ones available on the website. Make sure your gradm has been compiled for the kernel you are currently running." In the mean time I cannot see hidden directories and cannot switch roles to fix the system.
(In reply to comment #1) > The complete error message says: > "You are using incompatible versions of gradm and grsecurity. > Please update both versions to the ones available on the website. > Make sure your gradm has been compiled for the kernel you are currently > running." > > In the mean time I cannot see hidden directories and cannot switch roles to > fix the system. Upstream asures me there is no bug. Also I cannot confirm a bug. You're steps to reproduce are vague because I'm not sure if you you configured/compiled and rebooted into 3.2.7 *before* you used gradm-2.9. So do this: 1. Make sure you are running in the old grsec-2.2.2 kernel with old gradm-2.2.2 2. Disable rbac and make sure that it will not be enabled on boot next time 3. emerge h-s-3.2.7. configure it. compile it. boot into it. 4. uname -r should show 3.2.7-hardened 5. emerge gradm-2.9, it will replace the old gradm-2.2.2 6. re-enable rbac, set it so it comes up on boot or however you want to configure it. Let me know if this fixes your problem.
(In reply to comment #2) > (In reply to comment #1) > > The complete error message says: > > "You are using incompatible versions of gradm and grsecurity. > > Please update both versions to the ones available on the website. > > Make sure your gradm has been compiled for the kernel you are currently > > running." > > > > In the mean time I cannot see hidden directories and cannot switch roles to > > fix the system. > > Upstream asures me there is no bug. Also I cannot confirm a bug. You're > steps to reproduce are vague because I'm not sure if you you > configured/compiled and rebooted into 3.2.7 *before* you used gradm-2.9. > > So do this: > > 1. Make sure you are running in the old grsec-2.2.2 kernel with old > gradm-2.2.2 > 2. Disable rbac and make sure that it will not be enabled on boot next time > 3. emerge h-s-3.2.7. configure it. compile it. boot into it. > 4. uname -r should show 3.2.7-hardened > 5. emerge gradm-2.9, it will replace the old gradm-2.2.2 > 6. re-enable rbac, set it so it comes up on boot or however you want to > configure it. > > Let me know if this fixes your problem. Previously I compiled gradm-2.9 while running h-s-3.2.5. However I set the kernel symlink to h-s-3.2.7. After compiling gradm-2.9 on h-s-3.2.7, it worked fine. It would be still nice to be able to compile gradm for a kernel, which is not currently booted. Otherwise I have to boot the new kernel and have a small period left open while compiling gradm. Thx: Dw.
