I have compiled a kernel with most of grsecurity functions enabled, emerge gradm, manually created the /etc/grsec directory, found a default acl somewhere on the web, assigned a password, but ACL support won't work... When trying the "gradm -E" or "gradm -a" I get: Error writing to /proc/sys/kernel/grsecurity/acl write: Invalid argument also if trying to go in learn mode with this command "gradm -L -O fmtest" I get: Unable to open /etc/syslog.conf for reading. Error: No such file or directory I have emerged the latest gentoo-sources (kernel) package. I did report the problem to grsecurity maintainers. Was told that the release use to patch the "gentoo-sources kernel" is an old one, that might be the cause of my problems. I noticed that the grsec patch used in gentoo-sources is 2 month old (that is not very old by my standards, but then again...), and that there is a new release dated oct. 12. Can grsecurity be installed on a gentoo system with ACL support? That is the question. If so, can someone send me the recipe :-) At any rate, as Gentoo is meant to be a secure distro, it would be very nice to have a fully working grsecurity package with it. Gentoo rocks! Thanks in advance, Francois
grsecurity is actively maintained ... that means anything that is not grabbed from CVS is old ;) lostlogic: i thought we talked and you were gonna use 1.9.7 in -r9 of gentoo sources ?
-r9 had 1.9.6, it was released LONG before grsecurity 1.9.7 -r10 whch has still 1 thing needing fixing before unmasking has 1.9.7, please test it. (the ont thing to be fixed is some weird issue with FORKing on mjc's system, that he hasn't gotten back to me)
weird i could have sworn -r9 was gonna have it ... mjc is a wanker, dont tell him i said that ;x
check out latest lolo-sources, now with grsecurity-1.9.7c (although the merge is missing one part which makes grsecurity PaX slightly less secure than it should be)
Hi, did install latest lolo-sources, when running makemenuconfig, under grsecurity, there no option "Access Control Lists --->", instead there is an "ACL options --->" but that is of no use if we don't have ACL's therefore we are back to square one. I did recompile the kernel anyway, and this is what I got: /proc/sys/kernel/grsecurity/acl does not exist. Please recompile your kernel with grsecurity's ACL system. Regards, Francois
ACL = Access Control Lists.
Brandon, here is the menuconfig screen with your 2.4.20-lolo-r1_pre1 [*] Grsecurity
Brandon, here is the menuconfig screen with your 2.4.20-lolo-r1_pre1 [*] Grsecurity (Customized) Security level Buffer Overflow Protection ---> ACL options ---> Filesystem Protections ---> Kernel Auditing ---> Executable Protections ---> Network Protections ---> Sysctl support ---> Miscellaneous Features ---> Now same screen with v2.4.19-gentoo-r7 [*] Grsecurity (Customized) Security level Buffer Overflow Protection ---> Access Control Lists ---> Filesystem Protections ---> Kernel Auditing ---> Executable Protections ---> Network Protections ---> Sysctl support ---> Miscellaneous Features ---> Unless I am missing something very obvious (ACL = Access Control Lists!!!), I can't get ACL to work with your mod. Furthermore, with v2.4.19-gentoo-r7, after selecting Access Control Lists ---> this is what we should see: [*] Grsecurity ACL system (NEW) [ ] ACL Debugging Messages (NEW) [ ] Denied capability logging (NEW) Path to gradm: "/sbin/gradm" (NEW) (3) Maximum tries before password lockout (NEW) (30) Time to wait after max password tries, in seconds (NEW) Regards, Francois
hmm... all I've done is upgrade tot he latest grsecurity, I'll check the patch...
Thats just the way it is in the grsecurity patch lately... ask brad@grsecurity.net about it, this is NOT a bug in our kernels.
this is me checking this in the official unmodified patch, just to verify.
this is me verifying that the official patch looks JUST LIKE MINE (not to sound annoyed, but you went over my head, and frankly that bothers me, because I had told you the proper resolution to this bug) http://www.lostlogicx.com/images/grsec-ss.jpg shows a screenshot of the OFFICIAL linux-2.4.19-grsec configuration screen.
Hi Brandon, I am very sorry if you feel annoyed because of the e-mail that I sent to Daniel, but before I have submitted that problem, I did contact the Grsec people, which said the problem is with Gentoo, and you saying the problem is with them... So it's a dead end. Can't win them all, so I'll forget ACL's for a while. Thanks again for your help
blah... I dun get it... if brad changed that option setup, there has to be a reason for it... I'll e-mail him...
I e-mailed brad, he said "yeah it is on by default now, make sure user has the latest gradm tools"