Problem Starting GrSecurity

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Problem Starting GrSecurity

Postby Fr33m3 » Thu Mar 30, 2006 6:33 pm

I was hoping someone might be able to help me.

I installed a new 2.4.32 kernel and patched the 2.4.32 version of GrSecurity to it. I configured the kernel then compiled it using a make install. I've got it in the Grub boot loader and when I start it everything runs fine. About half way through the load process it stops at a line that says:

touch: creating '/var/lock/subsys/network': read only file system

and the it says

Starting system logger:

it takes about approximately 5 minutes to continue.

it then goes through a bunch of text, mostly error messages, ending with:


INIT: Id "1" respawing too fast: disabled for 5 minutes
INIT: Id "2" respawing too fast: disabled for 5 minutes
INIT: Id "3" respawing too fast: disabled for 5 minutes
INIT: Id "4" respawing too fast: disabled for 5 minutes
INIT: Id "5" respawing too fast: disabled for 5 minutes
INIT: Id "6" respawing too fast: disabled for 5 minutes





and then pops up with a screen that says:



I could not start the X server (your graphical environment) due to some internal error. Please contact your system administrator or check you syslog to diagnose. In the meantime this display will be disabled. Please restart gdm when

and then gives me the option to select "ok"

If you hit ok it returns to the loader but doesn't do anything, just reutrns to the last thing it said in the loader and freezes. It will also only let me press one key (???) during the entire loading process and then the keyboard stops responding.

It was suggested to me that it is possible GrSecurity is being too tough and some code has to be added to the loader to allow me to enter the GUI and change my settings.

Any help would be greatly appreciated!

Tthanks.[/i]
Fr33m3
 
Posts: 1
Joined: Thu Mar 30, 2006 6:16 pm

Re: Problem Starting GrSecurity

Postby PaX Team » Sat Apr 01, 2006 6:20 am

Fr33m3 wrote:I installed a new 2.4.32 kernel and patched the 2.4.32 version of GrSecurity to it. I configured the kernel then compiled it using a make install. I've got it in the Grub boot loader and when I start it everything runs fine. About half way through the load process it stops at a line that says:

touch: creating '/var/lock/subsys/network': read only file system
it'd help if you posted your kernel .config, grsecurity policy (if any) and dmesg. if they're too big, just put them on a website. if there's any sensitive info in there, feel free to sanitize them first.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby JLO » Fri Apr 07, 2006 7:02 pm

Yeah this is not grsecurity related but rather kernel config related. You turned on devfsd. It is similar to automatic device discoverer...it populates /dev without you having to mknod. You'll need a /etc/devfsd.conf and then to change /etc/inittab

# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6

to

# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty vc/1
2:2345:respawn:/sbin/mingetty vc/2
3:2345:respawn:/sbin/mingetty vc/3
4:2345:respawn:/sbin/mingetty vc/4
5:2345:respawn:/sbin/mingetty vc/5
6:2345:respawn:/sbin/mingetty vc/6

or change your kernel config for it not to be enabled at boot.


# Sample /etc/devfsd.conf configuration file.
# Richard Gooch <rgooch@atnf.csiro.au> 17-FEB-2002
#
# Enable full compatibility mode for old device names. You may comment these
# out if you don't use the old device names. Make sure you know what you're
# doing!
REGISTER .* MKOLDCOMPAT
UNREGISTER .* RMOLDCOMPAT

# You may comment out the above and uncomment the following if you've
# configured your system to use the original "new" devfs names or the really
# new names
REGISTER ^vc/ MKOLDCOMPAT
#UNREGISTER ^vc/ RMOLDCOMPAT
REGISTER ^pty/ MKOLDCOMPAT
#UNREGISTER ^pty/ RMOLDCOMPAT
REGISTER ^misc/ MKOLDCOMPAT
#UNREGISTER ^misc/ RMOLDCOMPAT

# You may comment these out if you don't use the original "new" names
REGISTER .* MKNEWCOMPAT
UNREGISTER .* RMNEWCOMPAT

# Enable module autoloading. You may comment this out if you don't use
# autoloading
LOOKUP .* MODLOAD

# Uncomment the following if you want to set the group to "tty" for the
# pseudo-tty devices. This is necessary so that mesg(1) can later be used to
# enable/disable talk requests and wall(1) messages.
REGISTER ^pty/s.* PERMISSIONS -1.tty 0600
REGISTER ^pts/.* PERMISSIONS -1.tty 0600

#
# Uncomment this if you want permissions to be saved and restored
# Do not do this for pseudo-terminal devices
#REGISTER ^pt[sy] IGNORE
#CREATE ^pt[sy] IGNORE
#CHANGE ^pt[sy] IGNORE
#DELETE ^pt[sy] IGNORE
#REGISTER .* COPY /dev-state/$devname $devpath
#CREATE .* COPY $devpath /dev-state/$devname
#CHANGE .* COPY $devpath /dev-state/$devname
#DELETE .* CFUNCTION GLOBAL unlink /dev-state/$devname
#RESTORE /dev-state

#
# Uncomment this if you want the old /dev/cdrom symlink
REGISTER ^cdroms/cdrom0$ CFUNCTION GLOBAL mksymlink $devname cdrom
UNREGISTER ^cdroms/cdrom0$ CFUNCTION GLOBAL unlink cdrom

# Uncomment this to let PAM manage devfs
#REGISTER .* CFUNCTION /lib/security/pam_console_apply_devfsd.so pam_console_apply_single $devpath

# Uncomment this to manage USB mouse
REGISTER ^input/mouse0$ CFUNCTION GLOBAL mksymlink $devname usbmouse
UNREGISTER ^input/mouse0$ CFUNCTION GLOBAL unlink usbmouse
REGISTER ^input/mice$ CFUNCTION GLOBAL mksymlink $devname usbmouse
UNREGISTER ^input/mice$ CFUNCTION GLOBAL unlink usbmouse

# If you have removable media and want to force media revalidation when looking
# up new or old compatibility names, uncomment the following lines
#SCSI NEWCOMPAT /dev/sd/* names
#LOOKUP ^(sd/c[0-9]+b[0-9]+t[0-9]+u[0-9]+)p[0-9]+$ EXECUTE /bin/dd if=$mntpnt/\1 of=/dev/null count=1
#SCSI OLDCOMPAT /dev/sd?? names
#LOOKUP ^(sd[a-z]+)[0-9]+$ EXECUTE /bin/dd if=$mntpnt/\1 of=/dev/null count=1
#IDE NEWCOMPAT /dev/ide/hd/* names
#LOOKUP ^(ide/hd/c[0-9]+b[0-9]+t[0-9]+u[0-9]+)p[0-9]+$ EXECUTE /bin/dd if=$mntpnt/\1 of=/dev/null count=1
#IDE OLDCOMPAT /dev/hd?? names
#LOOKUP ^(hd[a-z])[0-9]+$ EXECUTE /bin/dd if=$mntpnt/\1 of=/dev/null count=1

LOOKUP loop/* MODLOAD
LOOKUP input/js* MODLOAD
LOOKUP ppp MODLOAD
LOOKUP usb/lp0 MODLOAD
LOOKUP scsi/* MODLOAD
REGISTER scsi/.*/generic PERMISSIONS root.cdwrite 660


OK. Then after that, we'll talk about the X display. You may have to check your X logs or chpax it ...
JLO
 
Posts: 12
Joined: Wed Aug 18, 2004 10:23 am


Return to grsecurity support

cron