Created attachment 339042 [details, diff] Patch for linux-3.7.5-hardened/kernel/capability.c GRKERNSEC_DEVICE_SIDECHANNEL, which was introduced with hardened-sources-3.7.5, causes some SELinux denial messages, because it checks for CAP_MKNOD. Te implementation of this feature actually uses capable_nolog(CAP_MKNOD) (fs/stat.c), but its helper function ns_capable_nolog (kernel/capability.c) incorrectly calls security_capable instead of security_capable_noaudit. A patch is attached. (Remark: The _nolog functions are not part of the mainline kernel, but were introduced by grsecurity.)
Created attachment 339044 [details, diff] Patch for linux-3.7.5-hardened/kernel/capability.c
This looks sane. I'll pass it to upstream for them to consider including into the next grsec/pax patchset.
thanks, it's fixed in the latest grsec. for faster turnaround it's better to directly email us ;).
Thanks for fixing. From https://grsecurity.net I got the impression that the preferred way for reporting bugs were the forums, and I didn't want to create Yet Another Account (TM). Next time I'll contact you directly via mail...
(In reply to comment #4) > Thanks for fixing. From https://grsecurity.net I got the impression that the > preferred way for reporting bugs were the forums, and I didn't want to > create Yet Another Account (TM). Next time I'll contact you directly via > mail... Bugs here are gentoo specific. It does sometimes happen that a bug in the hardened-sources is my responsibility. But since 99% of the hardened-sources patchset is grsec/pax, if you go directly to pipacs it save the time for me to cc them.