grsecurity forums

Heya
I have some problems with the newest grsecurity (grsecurity-2.1.11-2.6.24.4-200804142048.patch.gz) it does compile without any errors, but my kernel doesnt want to boot, when I compile and install kernel without grsecurity patch its all ok but when i patch kernel and compile and install new kernel it doesnt want to boot?
any hints?
its really wierd..

When you say "doesn't want to boot", what exactly happens? Whats the last message given to your terminal? Also, what kind of machine are you running?

I keep the latest grsecurity kernels compiled as RPMs, my machines are booting just fine with the grsecurity-2.1.11-2.6.24.4-200804142048.patch

my machine is Semptron 64 2800+, i do it on Trustix linux 3.0.5, last message is when when initrd image trying to load, i cant even paste it here becaouse after this computer reboot, i cant even pause to see it, but last message is when initrd image is trying to load,
my grub config is:
root (hd0,0)
kernel /2.6.24.4 ro root=/dev/hda2
initrd /2.6.24.4.initrd.img

when i compile my kernel without grsecurity patch its all working ok, but when patch is enabled it reboot after reading initrd image

what should I do?

sauruspl wrote:my grub config is:
root (hd0,0)
kernel /2.6.24.4 ro root=/dev/hda2
initrd /2.6.24.4.inird.img

Your initrd is trying to load... it possible you mispelled the path to your initrd image? Looks like you're missing a t

Check the spelling, verify that it does infact exist, and try again.

oh sorry I only mistyped it here, i have right it here, anyway it would tell me that file doesnt exist but it start loading it but then reboot....

i think i'm having this same issue with a new server i'm setting up, but i can't see any messages even over kvm because it reboots so quickly, i did some testing, configured the kernel the way i wanted, without grsec, worked fine, then simply applied the patch, and didn't enable any of the options, and the server reboots after grub exits, and i can't really give any details cause i can't see whats going on, i am running x64 architecture.

i have checked to make sure DEBUG_RODATA and COMPAT_VSDO were disabled and it didn't make any difference
i wish there was some way to get more info

You can debug the kernel with gdb. I've never done used gdb with a kernel myself, but using strings like gdb, vmlinux, kernel, etc on google will return some interesting results. Here is one:

http://stackframe.blogspot.com/2007/04/ ... -with.html

step to the point where it loads the initrd image and see what happens. Oh, and it would be useful to compile the kernel with CONFIG_DEBUG set

can you guys send me your bzImage, vmlinux, .config and System.map files please? also, can you try the PaX patch alone to see if the problem still occurs?

sure i can, how can I send you? on email?

i can't compile the kernel with just the pax patch pax-linux-2.6.24.4-test42.patch:
arch/x86/ia32/built-in.o: In function `load_elf32_binary':
/home/dev/kernel/linux-2.6.24.4/arch/x86/ia32/../../../fs/binfmt_elf.c:1028: undefined reference to `pax_set_initial_flags'
fs/built-in.o: In function `load_elf_binary':
/home/dev/kernel/linux-2.6.24.4/fs/binfmt_elf.c:1028: undefined reference to `pax_set_initial_flags'
make: *** [.tmp_vmlinux1] Error 1

I ran into this earlier: viewtopic.php?f=1&t=1943

you can't take a grsec .config blindly and use it under PaX directly, the ACL hook option must be (re)set properly - just search the forum, this came up a few times already.

If you're using an x86 machine (not 64bit, I don't have one to build on yet) I've got RPMs on my site that you can install

actually i've figured out that you just need to set the integration mode to hook instead of direct, i am about to test if this kernel will boot, i will post my results in a few minutes

it seems the same thing happens with just the pax patch, and not the grsec, so i guess its an issue with the pax side of the patch, if i knew where i should send the .config system.map, etc i would gladly do it if it will help

You can get the correct email address by finding the "The PaX Team" hyperlink on the pax homepage: http://pax.grsecurity.net/

yeah, I did send them my image and config we will see