Package: cgmanager Version: 0.41-2 Severity: important Dear Maintainer,
running grsec patched kernel, cgmanager uses /run directory to store ELF binaries (usermode helper binaries), that are not correctly handled due to grsec policies. Is there anything cgmanager maintainers could fix up, to play nicely with grsec, or what is your preferred solution, we could document? Excerpt from dmesg as follows: [Fri Jul 7 09:27:47 2017] grsec: denied exec of usermode helper binary /run/cgmanager/agents/cgm-release-agent.blkio located outside of permitted system paths [Fri Jul 7 09:27:47 2017] grsec: denied exec of usermode helper binary /run/cgmanager/agents/cgm-release-agent.cpu located outside of permitted system paths [Fri Jul 7 09:27:47 2017] grsec: denied exec of usermode helper binary /run/cgmanager/agents/cgm-release-agent.cpuacct located outside of permitted system paths [Fri Jul 7 09:27:47 2017] grsec: denied exec of usermode helper binary /run/cgmanager/agents/cgm-release-agent.freezer located outside of permitted system paths [Fri Jul 7 09:27:47 2017] grsec: denied exec of usermode helper binary /run/cgmanager/agents/cgm-release-agent.net_cls located outside of permitted system paths [Fri Jul 7 09:27:47 2017] grsec: denied exec of usermode helper binary /run/cgmanager/agents/cgm-release-agent.pids located outside of permitted system paths [Fri Jul 7 09:27:47 2017] grsec: denied exec of usermode helper binary /run/cgmanager/agents/cgm-release-agent.memory located outside of permitted system paths [Fri Jul 7 09:27:47 2017] grsec: denied exec of usermode helper binary /run/cgmanager/agents/cgm-release-agent.cpuset located outside of permitted system paths [Fri Jul 7 09:27:47 2017] grsec: denied exec of usermode helper binary /run/cgmanager/agents/cgm-release-agent.perf_event located outside of permitted system paths [Fri Jul 7 09:27:47 2017] grsec: denied exec of usermode helper binary /run/cgmanager/agents/cgm-release-agent.systemd located outside of permitted system paths [Fri Jul 7 09:27:47 2017] grsec: denied exec of usermode helper binary /run/cgmanager/agents/cgm-release-agent.devices located outside of permitted system paths [Fri Jul 7 09:27:47 2017] grsec: denied exec of usermode helper binary /run/cgmanager/agents/cgm-release-agent.net_prio located outside of permitted system paths -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-grsec-amd64 (SMP w/3 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages cgmanager depends on: ii init-system-helpers 1.48 ii libc6 2.24-11+deb9u1 ii libcgmanager0 0.41-2 ii libdbus-1-3 1.10.18-1 ii libnih-dbus1 1.0.3-8 ii libnih1 1.0.3-8 cgmanager recommends no packages. cgmanager suggests no packages. -- no debconf information
