Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
New messages in log with hs-3.11.9-r1
atoth at atoth
Nov 27, 2013, 10:49 AM
Post #1 of 7 (2902 views)
Permalink
After bumping the kernel and gradm versions, I see these in the log:
grsec: denied exec of usermode helper binary
/lib64/rc/sh/cgroup-release-agent.sh located outside of /sbin
The file is definitely located outside of /sbin. It belongs to openrc.
What can be the best solution to handle this issue?

Reloading policy knocks out the machine:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3881
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
Re: New messages in log with hs-3.11.9-r1 [ In reply to ]
atoth at atoth
Nov 27, 2013, 10:59 AM
Post #2 of 7 (2838 views)
Permalink
I know I can switch to systemd - since Gnome 3.8 (to my great
disappointment) forcefully pushes users to move on, but the unit files are
still lacking. One mentionable example is iptables. No iptables unit file.
I may (or might) have enough time for this by the end of the year.

BTW: any of you ever operated a machine with bonding using systemd? I've
found no documentation regarding the official way to achieve that. I'm
curious before I start hacking in my non-professional way.

Thanks:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2013.November 27.(Sze) 19:49 időpontban "Tóth Attila" ezt írta:
> After bumping the kernel and gradm versions, I see these in the log:
> grsec: denied exec of usermode helper binary
> /lib64/rc/sh/cgroup-release-agent.sh located outside of /sbin
> The file is definitely located outside of /sbin. It belongs to openrc.
> What can be the best solution to handle this issue?
>
> Reloading policy knocks out the machine:
> https://forums.grsecurity.net/viewtopic.php?f=3&t=3881
> --
> dr Tóth Attila, Radiológus, 06-20-825-8057
> Attila Toth MD, Radiologist, +36-20-825-8057
>
>
>
>
>
Re: New messages in log with hs-3.11.9-r1 [ In reply to ]
basile at opensource
Nov 27, 2013, 11:05 AM
Post #3 of 7 (2844 views)
Permalink
On 11/27/2013 01:49 PM, "Tóth Attila" wrote:
> After bumping the kernel and gradm versions, I see these in the log:
> grsec: denied exec of usermode helper binary
> /lib64/rc/sh/cgroup-release-agent.sh located outside of /sbin
> The file is definitely located outside of /sbin. It belongs to openrc.
> What can be the best solution to handle this issue?
>
> Reloading policy knocks out the machine:
> https://forums.grsecurity.net/viewtopic.php?f=3&t=3881
>

I should probably have emailed the list to warn people about 3.0. It is
fresh off the assembly line and there are issues. I hit one myself but
didn't report it yet because a new release just came out.

I will not stabilize a 3.0 anytime soon. Please use a 2.9.1 of the time
being:

1) any 2.6.32

2) <= 3.2.52-r6

3) <= 3.11.9

Currently the tree has only 2.9.1. The overlay has 3.0.

Thank you Toth for pushing that report upstream.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Re: New messages in log with hs-3.11.9-r1 [ In reply to ]
alexander at tsoy
Nov 27, 2013, 11:13 AM
Post #4 of 7 (2836 views)
Permalink
Ð’ Wed, 27 Nov 2013 19:59:13 +0100
"Tóth Attila" <atoth@atoth.sote.hu> пишет:

> BTW: any of you ever operated a machine with bonding using systemd? I've
> found no documentation regarding the official way to achieve that. I'm
> curious before I start hacking in my non-professional way.

Bonding is supported by net-misc/netctl. Also, this functionality will
be in systemd itself in the future (systemd-networkd).

http://lists.freedesktop.org/archives/systemd-devel/2013-November/014115.html

--
Alexander Tsoy
Re: New messages in log with hs-3.11.9-r1 [ In reply to ]
atoth at atoth
Nov 27, 2013, 11:36 AM
Post #5 of 7 (2836 views)
Permalink
Thanks for pointing to that email. Now I have a feeling again, that
systemd is not ready for production purposes. Although it's not on the
TODO list, I hope it will get there soon...
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2013.November 27.(Sze) 20:13 időpontban Alexander Tsoy ezt írta:
> Ð’ Wed, 27 Nov 2013 19:59:13 +0100
> "Tóth Attila" <atoth@atoth.sote.hu> пишет:
>
>> BTW: any of you ever operated a machine with bonding using systemd? I've
>> found no documentation regarding the official way to achieve that. I'm
>> curious before I start hacking in my non-professional way.
>
> Bonding is supported by net-misc/netctl. Also, this functionality will
> be in systemd itself in the future (systemd-networkd).
>
> http://lists.freedesktop.org/archives/systemd-devel/2013-November/014115.html
>
> --
> Alexander Tsoy
>
>
Re: New messages in log with hs-3.11.9-r1 [ In reply to ]
atoth at atoth
Nov 27, 2013, 12:23 PM
Post #6 of 7 (2845 views)
Permalink
I will refrain from using this new version of 3.0 grsec+gradm.
But will give it a try when a new version comes out, anyways.

I have to also prepare to invest some energy into connection tracking
helper assignments.

Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2013.November 27.(Sze) 20:05 időpontban Anthony G. Basile ezt írta:
> On 11/27/2013 01:49 PM, "Tóth Attila" wrote:
>> After bumping the kernel and gradm versions, I see these in the log:
>> grsec: denied exec of usermode helper binary
>> /lib64/rc/sh/cgroup-release-agent.sh located outside of /sbin
>> The file is definitely located outside of /sbin. It belongs to openrc.
>> What can be the best solution to handle this issue?
>>
>> Reloading policy knocks out the machine:
>> https://forums.grsecurity.net/viewtopic.php?f=3&t=3881
>>
>
> I should probably have emailed the list to warn people about 3.0. It is
> fresh off the assembly line and there are issues. I hit one myself but
> didn't report it yet because a new release just came out.
>
> I will not stabilize a 3.0 anytime soon. Please use a 2.9.1 of the time
> being:
>
> 1) any 2.6.32
>
> 2) <= 3.2.52-r6
>
> 3) <= 3.11.9
>
> Currently the tree has only 2.9.1. The overlay has 3.0.
>
> Thank you Toth for pushing that report upstream.
>
> --
> Anthony G. Basile, Ph. D.
> Chair of Information Technology
> D'Youville College
> Buffalo, NY 14201
> (716) 829-8197
>
>
Re: New messages in log with hs-3.11.9-r1 [ In reply to ]
atoth at atoth
Dec 13, 2013, 6:34 PM
Post #7 of 7 (2824 views)
Permalink
Just to let you know:
I've retested gradm-3.0 using hardened-sources-3.12.4 and the system seems
to behave.
Reloading policy no longer renders the machine unresponsive.
Log messages related to user mode helper binary have also gone.

Regards: Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2013.November 27.(Sze) 20:05 időpontban Anthony G. Basile ezt írta:
> On 11/27/2013 01:49 PM, "Tóth Attila" wrote:
>> After bumping the kernel and gradm versions, I see these in the log:
>> grsec: denied exec of usermode helper binary
>> /lib64/rc/sh/cgroup-release-agent.sh located outside of /sbin
>> The file is definitely located outside of /sbin. It belongs to openrc.
>> What can be the best solution to handle this issue?
>>
>> Reloading policy knocks out the machine:
>> https://forums.grsecurity.net/viewtopic.php?f=3&t=3881
>>
>
> I should probably have emailed the list to warn people about 3.0. It is
> fresh off the assembly line and there are issues. I hit one myself but
> didn't report it yet because a new release just came out.
>
> I will not stabilize a 3.0 anytime soon. Please use a 2.9.1 of the time
> being:
>
> 1) any 2.6.32
>
> 2) <= 3.2.52-r6
>
> 3) <= 3.11.9
>
> Currently the tree has only 2.9.1. The overlay has 3.0.
>
> Thank you Toth for pushing that report upstream.
>
> --
> Anthony G. Basile, Ph. D.
> Chair of Information Technology
> D'Youville College
> Buffalo, NY 14201
> (716) 829-8197
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal