It turns out systemd is not compatible with CONFIG_GRKERNSEC_PROC. It has
been reported as freedesktop bug #65575. Of course if there would be a
specific group under which systemd performs its proc related activities,
that could be configured as the exception GID, but I can hardly imagine
that it is the case. Gentoo systemd wiki doesn't mention this point,
otherwise important for hardened users. Systemd dev stands his ground and
puts the period: nothing can be expected until grsecurity hits mainline.
That will obviously not happen. I understand the dev having no intentions
to support out-of-mainline features. Altering proc access significantly.
Any of you have a workaround for systemd with grsec without completely
loosing proc restrictions?
I'm trying real hard to be a shepherd. But this time I feel the urge -
again - to purge the remnants of the once so shiny GNOME from my systems.
Any thoughts on this? Or rather a grsec proc config workaround?
Thx:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
been reported as freedesktop bug #65575. Of course if there would be a
specific group under which systemd performs its proc related activities,
that could be configured as the exception GID, but I can hardly imagine
that it is the case. Gentoo systemd wiki doesn't mention this point,
otherwise important for hardened users. Systemd dev stands his ground and
puts the period: nothing can be expected until grsecurity hits mainline.
That will obviously not happen. I understand the dev having no intentions
to support out-of-mainline features. Altering proc access significantly.
Any of you have a workaround for systemd with grsec without completely
loosing proc restrictions?
I'm trying real hard to be a shepherd. But this time I feel the urge -
again - to purge the remnants of the once so shiny GNOME from my systems.
Any thoughts on this? Or rather a grsec proc config workaround?
Thx:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057