grsecurity forums

Hi

I'm having a problem upgrading from grsec/gradm 2.4.31-2.1.16 to 2.4.32-2.1.18. After the upgrade, gradm will no longer enable the RBAC system but chokes on the PAX flags on subjects in the policy. (The policy has remained unchanged, btw., as have the kernel config flags). To troubleshoot the issue I invented a dummy policy:

Code: Select all

role myrole sAT {
    subject /root GXadkrv {
        /tmp rwcdx
    }
}

When I run "gradm -E" on this policy it fails with

Code: Select all

"G" caused a invalid character on line 2 of /etc/grsec/policy

When I delete the "G" the error changes to

Code: Select all

"X" caused a invalid ...

Only after deleting all PAX relevant flags does gradm successfully load the policy.

Has anyone seen this before? Do I have to enable something special when compiling gradm2?

thx
xor (clueless)

What gradm are you using? Newer gradms switched to a different, more configurable approach to setting PaX flags on a subject. It uses (+/-)PAX_SEGMEXEC, (+/-PAX_PAGEEXEC) etc instead of subject flags. The sample policy has more information on it. Also, RANDEXEC was removed some time ago from PaX and grsec, so you can no longer switch that on for binaries.

-Brad