grsecurity forums

Hi
I've tried to harden CentOS even more and enhance it with grsec-patched kernel.
I've got 2.6.32.45 and applied grsecurity-2.2.2-2.6.32.45-201108172006.patch
Config here
Problems:
1. gradm doesn't work (posted question here)
2. On boot without "selinux=0" kernel option boot fails. Screenshot of KVM machine:

It looks like you'll have to enable the sysctl option and then turn the chroot options on at runtime, as your initrd for some reason wants to mount filesystems within a chroot.

-Brad

What is the right way?
1. Recompile kernel with sysctl option for grsec.
2. enable all features of grsec after boot process via sysctl?

I'm also wondering if it is too much of work to make grsec-enabled kernels for major distributions like RHEL/CentOS or Debian/Ubuntu in form of (S)RPM/deb respectively?
Is it hard to combine grsec with, say, RedHat patched kernel? I think it would be great to have such option.

I've manage to boot system with SELinux enabled by enabling sysctl support for grsec. Looks fine. At least now

Faced a problem. Today at night the server was rebooted. Last messages and the only interesting:

Code: Select all

Sep  4 03:38:01 2baksa kernel: PAX: From 66.249.66.51: execution attempt in: (null), 00000000-00000000 00000000
Sep  4 03:38:01 2baksa kernel: PAX: terminating task: /usr/sbin/httpd(httpd):12947, uid/euid: 48/48, PC: 00006aea25ddcaa0, SP: 000077a3439ee338
Sep  4 03:38:01 2baksa kernel: PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
Sep  4 03:38:01 2baksa kernel: PAX: bytes at SP-8: 00000bbf6975ef80 00006aea2ed2fa20 0000000000000000 0000000000000000 0000000000000000 00000bbf00000002 0000000000000000 000000000000000b c08e69804da8f602 00000bbf69867490 00000bbf698d8ec0
Sep  4 03:38:01 2baksa kernel: PAX: From 66.249.66.242: execution attempt in: (null), 00000000-00000000 00000000
Sep  4 03:38:01 2baksa kernel: PAX: terminating task: /usr/sbin/httpd(httpd):10619, uid/euid: 48/48, PC: 00006aea25ddcaa0, SP: 000077a3439eea78
Sep  4 03:38:01 2baksa kernel: PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
Sep  4 03:38:01 2baksa kernel: PAX: bytes at SP-8: 00000bbf6975ef80 00006aea2ed2fa20 0000000000000000 0000000000000000 0000000000000000 00000bbf00000002 0000000000000000 000000000000000b c08e69804da8f602 00000bbf69867490 00000bbf698d8ec0
Sep  4 03:38:02 2baksa rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="1349" x-info="http://www.rsyslog.com"] rsyslogd was HUPed, type 'restart'.
Sep  4 03:38:02 2baksa kernel: Kernel logging (proc) stopped.


Could it be that grsec patch forced server to be rebooted? Where to start looking for cause of reboot?

Thanks a lot!