grsecurity forums

Well...the most it's in the subject...

As I wrote I've patched a 2.6.11.5 kernel with last grsec patches and I enabled options listed in the quickstart guide...
...but at the reboot kernel killed udev (and without udev i can't boot the system, because /dev/ROOT doesn't exists)

I'm using Gentoo with glibc-2.3.4.20050125 (NTPL - NPTLONLY enabled) and gcc-3.4.3.20050110

Any advice?

I have UDEV and DEVFS turned off. I just use static /dev.

Try disabling the grsec and PaX stuff, recompile the kernel, and see if it works then.

Post the error it gets.

Obviously without grsec & pax udev works great

But i would like to know how to use both

I think I'll read all grsec/pax documentation, then, if I find a solution, It will be posted here...maybe someone else could have the same problem.

Tnx 4 attention,
Bye

this bit me a couple weeks ago, but i managed to figure it out...

the problem is, that when udev tries to run from initrd, PaX kills it because of MPROTECT, no devices get created, and it can't find the real root device to boot.

i solved this problem by disabling MPROTECT on the udev binary on the initrd with paxctl. how you achieve this varies depending on how you actually create your initrd -- i happen to use gentoo's 'genkernel', so basically it went something like this:

Code: Select all

# genkernel --menuconfig --udev all

a udev binary for initrd gets built, the kernel and modules are built, and an initrd (which won't work) is created... next, fix the udev binary for initrd...

Code: Select all

# cd /usr/share/genkernel/pkg/x86
# tar jxvf udev-0??-x86.tar.bz2
# paxctl -m ./sbin/udev
# tar jcvf udev-0??-x86.tar.bz2 etc sbin
# rm -rf ./{etc,sbin}

now you've got a udev binary for initrd that won't die. now, make a working initrd that uses it...

Code: Select all

# genkernel --udev initrd

now you can install your new grsec kernel and initrd and have udev work!

(tested with vanilla linux-2.6.11.7 + grsec-2.1.5, will be trying vanilla 2.6.11.9 tonight)

tomalok wrote:the problem is, that when udev tries to run from initrd, PaX kills it because of MPROTECT, no devices get created, and it can't find the real root device to boot.

Code: Select all

- PaX flags: -------x-e-- [/sbin/udev]

and it works for many people, albeit without initrd. so the problem must be there (and i don't know if it's gentoo specific or not). can you please open a bugzilla entry with gentoo and post kill logs and any relevant info you can capture (and put me on CC)?