grsecurity forums

by **circle** » Thu Mar 18, 2010 11:39 am

Hi all!

I'm running a hardened Gentoo Linux installation as a security techie toolbox.
I'm using the hardened toolchain and thus have grsecurity and pax configured.

NeXpose is a network security analyzer which mainly is built on Java. I know
there are issues with Java and grsecurity/pax. However, I've been able to
solve many of those problems just by exluding the JVM using paxctl. I know
its kinda dirty.

The problem is that I cannot manage to exlude NeXpose. I keep getting the
following error messages for you who may have been working with NeXpose:

Code: Select all: Checking for available jvms Validating jre in directory _jvm ./.DLLCACHE/nexserv: error while loading shared libraries: ../_jvm/lib/i386/server/libjvm.so: cannot make segment writable for relocation: Permission denied Using jre at _jvm ./.DLLCACHE/nexserv: error while loading shared libraries: ../_jvm/lib/i386/server/libjvm.so: cannot make segment writable for relocation: Permission denied Update merging failed: 127 Checking for available jvms Validating jre in directory _jvm ./.DLLCACHE/nexserv: error while loading shared libraries: ../_jvm/lib/i386/server/libjvm.so: cannot make segment writable for relocation: Permission denied Using jre at _jvm ./.DLLCACHE/nexserv: error while loading shared libraries: ../_jvm/lib/i386/server/libjvm.so: cannot make segment writable for relocation: Permission denied NeXpose security console exited with code 127

NeXpose Community ed. from Rapid7 is free to download, so any of you who
feel compelled to try and help, please feel free.

I had huge problems installing the main package which is a self contained
package including its own JRE and stuff. So I extracted the package and tried
to run the .jar file itself using my own JRE which is excluded in pax. But still I
failed once again when the installer wanted to do some DB installation.
Probably some just-in-time-compiling or similar.

Instead I took my own NeXpose installation from my Linux laptop and copied
the raw directory structure and all. But still I run into trouble. I also had to
do some header conversions as well.

I know, things are looking thin...But I do hope someone may be able to assist.
Any ideas?

You could also call me a newbie on the grsecurity/pax area. Maybe I'm missing
something. Any hints?

Best regards
/Thomas

by **PaX Team** » Thu Mar 18, 2010 12:29 pm

circle wrote:NeXpose is a network security analyzer which mainly is built on Java. I know
there are issues with Java and grsecurity/pax. However, I've been able to
solve many of those problems just by exluding the JVM using paxctl. I know
its kinda dirty.

paxctl -m is not dirty, it's what enables runtime code generation which the JVM needs

. as for your real issue, if you had searched for the error message on this very forum

, you would have found this: http://forums.grsecurity.net/viewtopic.php?f=3&t=717&p=2925#p2928 that explains the problem (text relocations). not mentioned there but paxctl -m should also allow this, so if you had done it on the affected executable already, it'll need more investigation. as for the installation troubles, that's where softmode can be useful as a quick and dirty solution.

by **circle** » Mon Mar 22, 2010 10:07 am

Thanks for your reply!

I've managed to solve the lib problems. There were a few libs that lacked the correct headers in order to work. Converting and then excluding them did the trick.

However, I've encountered a new problem with the built in PostgreSQL. When trying to run it using "su" as the app uses the db, I get another permission denied. I've search the forum without success.

I've included a strace below and my kernel config as well. The permission denied message is almost at the bottom of the strace log. Any ideas? Are there any other tools I can use in order to find out more?

The dir nxpdata holds the database and its configuration files. Further below is the ouput when su'ed and then trying to execute "postmaster".

Running strace on su'ed postmaster

Code: Select all: strace su nxpgsql -c "/opt/rapid7/nexpose/nsc/nxpgsql/pgsql/bin/postmaster -D ../nxpdata/" execve("/bin/su", ["su", "nxpgsql", "-c", "/opt/rapid7/nexpose/nsc/nxpgsql/"...], [/* 29 vars */]) = 0 brk(0) = 0x1642fc50 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=21949, ...}) = 0 mmap2(NULL, 21949, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4f119000 close(3) = 0 ... Removed some standard PAM queries... open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 _llseek(3, 0, [0], SEEK_CUR) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=1343, ...}) = 0 mmap2(NULL, 1343, PROT_READ, MAP_SHARED, 3, 0) = 0x4f11e000 _llseek(3, 1343, [1343], SEEK_SET) = 0 munmap(0x4f11e000, 1343) = 0 close(3) = 0 open("/etc/shells", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=118, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=118, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4f11e000 read(3, "# /etc/shells: valid login shell"..., 4096) = 118 read(3, "", 4096) = 0 close(3) = 0 munmap(0x4f11e000, 4096) = 0 rt_sigaction(SIGINT, {SIG_IGN, [INT], SA_RESTART}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGQUIT, {SIG_IGN, [QUIT], SA_RESTART}, {SIG_DFL, [], 0}, 8) = 0 time(NULL) = 1269261499 getuid32() = 0 getuid32() = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 _llseek(3, 0, [0], SEEK_CUR) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=1343, ...}) = 0 mmap2(NULL, 1343, PROT_READ, MAP_SHARED, 3, 0) = 0x4f11e000 _llseek(3, 1343, [1343], SEEK_SET) = 0 munmap(0x4f11e000, 1343) = 0 close(3) = 0 geteuid32() = 0 open("/etc/shadow", O_RDONLY|O_CLOEXEC) = 3 _llseek(3, 0, [0], SEEK_CUR) = 0 fstat64(3, {st_mode=S_IFREG|0600, st_size=1200, ...}) = 0 mmap2(NULL, 1200, PROT_READ, MAP_SHARED, 3, 0) = 0x4f11e000 _llseek(3, 1200, [1200], SEEK_SET) = 0 munmap(0x4f11e000, 1200) = 0 close(3) = 0 time(NULL) = 1269261499 rt_sigaction(SIGINT, {SIG_DFL, [INT], SA_RESTART}, {SIG_IGN, [INT], SA_RESTART}, 8) = 0 rt_sigaction(SIGQUIT, {SIG_DFL, [QUIT], SA_RESTART}, {SIG_IGN, [QUIT], SA_RESTART}, 8) = 0 open("/etc/login.defs", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=10006, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4f11e000 read(3, "#\n# /etc/login.defs - Configurat"..., 4096) = 4096 read(3, "nfiguration initializations:\n#\n#"..., 4096) = 4096 read(3, "t number of rounds (5000).\n# The"..., 4096) = 1814 read(3, "", 4096) = 0 close(3) = 0 munmap(0x4f11e000, 4096) = 0 time(NULL) = 1269261499 open("/etc/localtime", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=1892, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=1892, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4f11e000 read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 1892 _llseek(3, -28, [1864], SEEK_CUR) = 0 read(3, "\nCET-1CEST,M3.5.0,M10.5.0/3\n", 4096) = 28 close(3) = 0 munmap(0x4f11e000, 4096) = 0 getpid() = 20501 socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket) close(3) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0 send(3, "<86>Mar 22 13:38:19 su[20501]: S"..., 65, MSG_NOSIGNAL) = 65 time(NULL) = 1269261499 send(3, "<86>Mar 22 13:38:19 su[20501]: +"..., 52, MSG_NOSIGNAL) = 52 setgid32(1007) = 0 open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 4 read(4, "65536\n", 31) = 6 close(4) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4 connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(4) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4 connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(4) = 0 open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 _llseek(4, 0, [0], SEEK_CUR) = 0 fstat64(4, {st_mode=S_IFREG|0644, st_size=690, ...}) = 0 mmap2(NULL, 690, PROT_READ, MAP_SHARED, 4, 0) = 0x4f11e000 _llseek(4, 690, [690], SEEK_SET) = 0 fstat64(4, {st_mode=S_IFREG|0644, st_size=690, ...}) = 0 munmap(0x4f11e000, 690) = 0 close(4) = 0 setgroups32(1, [1007]) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 _llseek(4, 0, [0], SEEK_CUR) = 0 fstat64(4, {st_mode=S_IFREG|0644, st_size=1343, ...}) = 0 mmap2(NULL, 1343, PROT_READ, MAP_SHARED, 4, 0) = 0x4f11e000 _llseek(4, 1343, [1343], SEEK_SET) = 0 munmap(0x4f11e000, 1343) = 0 close(4) = 0 getrlimit(RLIMIT_CPU, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_FSIZE, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_DATA, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_RSS, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_NPROC, {rlim_cur=28670, rlim_max=28670}) = 0 getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0 getrlimit(RLIMIT_MEMLOCK, {rlim_cur=64*1024, rlim_max=64*1024}) = 0 getrlimit(RLIMIT_AS, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_LOCKS, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 getrlimit(RLIMIT_SIGPENDING, {rlim_cur=28670, rlim_max=28670}) = 0 getrlimit(RLIMIT_MSGQUEUE, {rlim_cur=800*1024, rlim_max=800*1024}) = 0 getrlimit(RLIMIT_NICE, {rlim_cur=0, rlim_max=0}) = 0 getrlimit(RLIMIT_RTPRIO, {rlim_cur=0, rlim_max=0}) = 0 getpriority(PRIO_PROCESS, 0) = 20 open("/etc/security/limits.conf", O_RDONLY|O_LARGEFILE) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=1825, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4f11e000 read(4, "# /etc/security/limits.conf\n#\n#E"..., 4096) = 1825 read(4, "", 4096) = 0 close(4) = 0 munmap(0x4f11e000, 4096) = 0 open("/etc/security/limits.d", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 4 getdents64(4, /* 2 entries */, 32768) = 48 getdents64(4, /* 0 entries */, 32768) = 0 close(4) = 0 setpriority(PRIO_PROCESS, 0, 0) = 0 open("/etc/security/pam_env.conf", O_RDONLY|O_LARGEFILE) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=2980, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4f11e000 read(4, "#\n# This is the configuration fi"..., 4096) = 2980 read(4, "", 4096) = 0 close(4) = 0 munmap(0x4f11e000, 4096) = 0 open("/etc/environment", O_RDONLY|O_LARGEFILE) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=97, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4f11e000 read(4, "#\n# This file is parsed by pam_e"..., 4096) = 97 read(4, "", 4096) = 0 close(4) = 0 munmap(0x4f11e000, 4096) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 _llseek(4, 0, [0], SEEK_CUR) = 0 fstat64(4, {st_mode=S_IFREG|0644, st_size=1343, ...}) = 0 mmap2(NULL, 1343, PROT_READ, MAP_SHARED, 4, 0) = 0x4f11e000 _llseek(4, 1343, [1343], SEEK_SET) = 0 munmap(0x4f11e000, 1343) = 0 close(4) = 0 stat64("/opt/rapid7/nexpose/nsc/nxpgsql/.pam_environment", 0x5d42bbf8) = -1 ENOENT (No such file or directory) getuid32() = 0 access("/var/run/utmpx", F_OK) = -1 ENOENT (No such file or directory) open("/var/run/utmp", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 4 _llseek(4, 0, [0], SEEK_SET) = 0 alarm(0) = 0 rt_sigaction(SIGALRM, {0x4f092b00, [], 0}, {SIG_DFL, [], 0}, 8) = 0 alarm(1) = 0 fcntl64(4, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 read(4, "\10\0\0\0r\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\2\0\0\0\0\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\10\0\0\0\303\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\1\0\0\0003N\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\10\0\0\0\225\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\6\0\0\0\2\4\0\0tty1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\6\0\0\0\220\20\0\0tty2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\6\0\0\0\221\20\0\0tty3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\6\0\0\0\222\20\0\0tty4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\6\0\0\0\223\20\0\0tty5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\6\0\0\0\224\20\0\0tty6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\7\0\0\0\341V\0\0pts/0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\7\0\0\0KO\0\0pts/1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\10\0\0\0'p\0\0pts/2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(4, "\7\0\0\0a\r\0\0pts/4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 fcntl64(4, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 alarm(0) = 1 rt_sigaction(SIGALRM, {SIG_DFL, [], 0}, NULL, 8) = 0 close(4) = 0 getuid32() = 0 time(NULL) = 1269261499 send(3, "<86>Mar 22 13:38:19 su[20501]: p"..., 100, MSG_NOSIGNAL) = 100 open("/etc/security/pam_env.conf", O_RDONLY|O_LARGEFILE) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=2980, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4f11e000 read(4, "#\n# This is the configuration fi"..., 4096) = 2980 read(4, "", 4096) = 0 close(4) = 0 munmap(0x4f11e000, 4096) = 0 open("/etc/environment", O_RDONLY|O_LARGEFILE) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=97, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4f11e000 read(4, "#\n# This file is parsed by pam_e"..., 4096) = 97 read(4, "", 4096) = 0 close(4) = 0 munmap(0x4f11e000, 4096) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 _llseek(4, 0, [0], SEEK_CUR) = 0 fstat64(4, {st_mode=S_IFREG|0644, st_size=1343, ...}) = 0 mmap2(NULL, 1343, PROT_READ, MAP_SHARED, 4, 0) = 0x4f11e000 _llseek(4, 1343, [1343], SEEK_SET) = 0 munmap(0x4f11e000, 1343) = 0 close(4) = 0 stat64("/opt/rapid7/nexpose/nsc/nxpgsql/.pam_environment", 0x5d42bbf8) = -1 ENOENT (No such file or directory) access("/usr/X11R6/bin/xauth", X_OK) = -1 ENOENT (No such file or directory) access("/usr/bin/xauth", X_OK) = -1 ENOENT (No such file or directory) access("/usr/bin/X11/xauth", X_OK) = -1 ENOENT (No such file or directory) setuid32(1005) = 0 close(3) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x4ef86728) = 20502 rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], NULL, 8) = 0 rt_sigaction(SIGTERM, {0x16424040, [], 0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [ALRM TERM], NULL, 8) = 0 waitpid(-1, /bin/bash: /opt/rapid7/nexpose/nsc/nxpgsql/pgsql/bin/postmaster: Permission denied [{WIFEXITED(s) && WEXITSTATUS(s) == 126}], WSTOPPED) = 20502 getuid32() = 1005 time(NULL) = 1269261499 socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket) close(3) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0 send(3, "<86>Mar 22 13:38:19 su[20501]: p"..., 85, MSG_NOSIGNAL) = 85 munmap(0x4f11b000, 8204) = 0 munmap(0x4ef4d000, 8204) = 0 munmap(0x4ef48000, 16400) = 0 munmap(0x4ef30000, 94304) = 0 munmap(0x4ef2b000, 16396) = 0 munmap(0x4ef1a000, 43680) = 0 munmap(0x4ef06000, 77896) = 0 munmap(0x4ef26000, 16396) = 0 munmap(0x4ef03000, 8204) = 0 munmap(0x4eefe000, 16396) = 0 munmap(0x4eefb000, 8204) = 0 exit_group(126) = ?

Running postmaster when already su'ed

Code: Select all: nxpgsql@myhost ~/pgsql $ bin/postmaster -D ../nxpdata/ LOG: 00000: invalid binary "/opt/rapid7/nexpose/nsc/nxpgsql/pgsql/bin/postmaster" LOCATION: find_my_exec, exec.c:213 FATAL: XX000: bin/postmaster: could not locate my own executable path LOCATION: PostmasterMain, postmaster.c:409 nxpgsql@myhost ~/pgsql $

Kernel .config (2.6.28)

Code: Select all: # # Security options # # # Grsecurity # CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MEDIUM is not set # CONFIG_GRKERNSEC_HIGH is not set CONFIG_GRKERNSEC_HARDENED_SERVER=y # CONFIG_GRKERNSEC_HARDENED_WORKSTATION is not set # CONFIG_GRKERNSEC_CUSTOM is not set # # Address Space Protection # CONFIG_GRKERNSEC_KMEM=y CONFIG_GRKERNSEC_IO=y CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_HIDESYM=y # # Role Based Access Control Options # CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=240 # # Filesystem Protections # CONFIG_GRKERNSEC_PROC=y # CONFIG_GRKERNSEC_PROC_USER is not set CONFIG_GRKERNSEC_PROC_USERGROUP=y CONFIG_GRKERNSEC_PROC_GID=10 CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y CONFIG_GRKERNSEC_CHROOT_CAPS=y # # Kernel Auditing # # CONFIG_GRKERNSEC_AUDIT_GROUP is not set # CONFIG_GRKERNSEC_EXECLOG is not set CONFIG_GRKERNSEC_RESLOG=y # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set CONFIG_GRKERNSEC_AUDIT_MOUNT=y # CONFIG_GRKERNSEC_AUDIT_IPC is not set CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y # CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set # # Executable Protections # CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_DMESG=y # CONFIG_GRKERNSEC_TPE is not set # # Network Protections # CONFIG_GRKERNSEC_RANDNET=y # CONFIG_GRKERNSEC_SOCKET is not set # # Sysctl support # CONFIG_GRKERNSEC_SYSCTL=y CONFIG_GRKERNSEC_SYSCTL_ON=y # # Logging Options # CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4 # # PaX # CONFIG_PAX=y # # PaX Control # # CONFIG_PAX_SOFTMODE is not set CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set # # Non-executable pages # CONFIG_PAX_NOEXEC=y CONFIG_PAX_PAGEEXEC=y CONFIG_PAX_SEGMEXEC=y # CONFIG_PAX_EMUTRAMP is not set CONFIG_PAX_MPROTECT=y CONFIG_PAX_NOELFRELOCS=y # # Address Space Layout Randomization # CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y # # Miscellaneous hardening features # CONFIG_PAX_MEMORY_SANITIZE=y CONFIG_PAX_MEMORY_UDEREF=y CONFIG_PAX_REFCOUNT=y CONFIG_KEYS=y CONFIG_KEYS_DEBUG_PROC_KEYS=y CONFIG_SECURITY=y # CONFIG_SECURITYFS is not set CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_FILE_CAPABILITIES=y # CONFIG_SECURITY_ROOTPLUG is not set CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=65536 # CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set CONFIG_CRYPTO=y

by **PaX Team** » Mon Mar 22, 2010 11:20 am

circle wrote:I've included a strace below and my kernel config as well. The permission denied message is almost at the bottom of the strace log. Any ideas?

try strace -f at least because the failing syscall is in a child process, not the main one.

grsecurity forums

GrSecurity PaX and NeXpose Community Ed. failing

GrSecurity PaX and NeXpose Community Ed. failing

Re: GrSecurity PaX and NeXpose Community Ed. failing

Re: GrSecurity PaX and NeXpose Community Ed. failing

Re: GrSecurity PaX and NeXpose Community Ed. failing