mysql needs to do elf segment relocations, which can be prevented by PaX on an hardened setup. gw root # scanelf -t /usr/sbin/mysqld TYPE TEXTREL FILE ET_DYN TEXTREL /usr/sbin/mysqld gw root # when PaX has NOELFRELOCS enabled, mysql daemon doesn't start. this can be solved by two ways: 1. disable mprotect() restrictions on some mysql binaries paxctl -m /usr/sbin/mysqld;paxctl -m /usr/bin/my_print_defaults 2. fix ebuild by removing configure option "--enable-assembler" mysql binaries no longer need to do elf segment relocations if proposed solution #2 is used. hardened setup prevent mysql from starting. Reproducible: Always Steps to Reproduce: 1.use hardened-sources-2.6.11-r1 or vanilla kernel with grsecurity or pax patchset 2. compile kernel with CONFIG_PAX=y # CONFIG_PAX_SOFTMODE is not set CONFIG_PAX_PT_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y CONFIG_PAX_NOEXEC=y # CONFIG_PAX_PAGEEXEC is not set CONFIG_PAX_SEGMEXEC=y (using PAGEEXEC or SEGMEXEC is fine as long as one of them is used) # CONFIG_PAX_EMUTRAMP is not set CONFIG_PAX_MPROTECT=y CONFIG_PAX_NOELFRELOCS=y (above config flag is critical to reproduce bug) CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y CONFIG_PAX_NOVSYSCALL=y 3. build hardened toolchain USE="hardened pic" emerge gcc glibc USE="hardened pic" emerge gcc glibc 4. compile mysql USE="hardened pic" emerge mysql 5. mysql won't start Actual Results: mysql didn't start: complained about attempted segment relocation: permission denied (exact message unavailable for now) Expected Results: gw root # /etc/init.d/mysql start * Starting mysqld... [ ok ] gw root # Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1, 2.6.11.7-grsec i686) ================================================================= System uname: 2.6.11.7-grsec i686 Pentium III (Coppermine) Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.5 [2.3.5 (#1, May 6 2005, 17:45:06)] ccache version 2.3 [enabled] dev-lang/python: 2.3.5 sys-apps/sandbox: [Not Present] sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.4 sys-devel/binutils: 2.15.92.0.2-r7 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=pentium3 -fomit-frame-pointer -fforce-addr -fstack-protector -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium3 -fomit-frame-pointer -fforce-addr -fstack-protector -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.rnl.ist.utl.pt/gentoo http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://ftp.rnl.ist.utl.pt/gentoo-portage" USE="x86 aalib acl acpi alsa apache2 apm arts avi berkdb bitmap-fonts crypt cscope cups curl emboss encode fam foomaticdb fortran gd gdbm ggi gif gmp gpm gtk2 hardened imagemagick imap imlib ipv6 java jpeg libg++ libwww mad maildir mikmod mmx motif mp3 mpeg mppe-mppc mysql ncurses nls ogg oggvorbis opengl oss pam pdflib perl pic pie png ppds python quicktime readline samba sasl sdl slang snmp spell sse ssl svga tcpd tiff truetype-fonts type1-fonts unicode usb vorbis winbind wmf xml xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
this is different from bug #63885, although summary is very simmilar.
*** This bug has been marked as a duplicate of 42968 ***