Hi,
I successfully switched to hardened profile during the last week and it was
quite painless. I think I can hand out some praise for the great work done
on Gentoo Hardened. :)
Just one thing puzzles me a bit. I activated pax in hardened sources and
this resulted in quite some segfaulting processes due to mprotect. I found
lines like the following in the logs.
Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX mprotect of
/lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393]
uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0
gid/egid:0/0
I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list
[1] of binaries where I had to do this includes some stuff, where mprotect
would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the
docs (which otherwise are really helpful :) about what to expect for
excpetions from mprotect. Is this expected behaviour or have I made some
mistake in my configuration?
Markus
[1]
/usr/lib64/courier/courier-authlib/authdaemond
/usr/sbin/console-kit-daemon
/usr/libexec/polkitd
/usr/bin/xfconf-query
/usr/lib64/xfce4/xfconf/xfconfd
/usr/bin/xscreensaver
/usr/bin/xfce4-session
/usr/bin/gkrellm
/usr/bin/Xorg
/usr/bin/xfdesktop
/usr/bin/xfce4-panel
/usr/bin/Terminal
/usr/libexec/udisks-daemon
/usr/bin/xfce4-session-logout
/usr/bin/emacs-23
/usr/bin/sudo
/usr/bin/perl
/usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
/usr/bin/xfce4-mixer
/usr/bin/python2.7
/usr/libexec/git-core/git
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
--
Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
