grsec for Mandrake

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

grsec for Mandrake

Postby Edival » Tue Jun 03, 2003 5:44 pm

Does anyone have any idea HOW THE HELL Mandrake expects users to configure grsecurity? They don't include any tools to configure it like gradm or anything.

Any help would be appreciated. grsec keeps denying me permission to run certain programs on my own server.

Thanks.
Edival
 
Posts: 2
Joined: Tue Jun 03, 2003 5:42 pm

Postby spender » Wed Jun 04, 2003 1:30 pm

I wish I knew the answer. Mandrake never responds to my repeated mails.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Edival » Wed Jun 11, 2003 2:45 pm

One of the guys on Mandrakeclub.com has finished a patch for the secure kernel, and will be releasing it public soon. A good FTP site to get it from will be: ftp://mirrors.secsup.org/pub/linux/mand ... /9.1/i586/

It's called Kernel-with-acl-support or something. Should be available in the next day or two.
Edival
 
Posts: 2
Joined: Tue Jun 03, 2003 5:42 pm

Postby espicom » Wed Oct 08, 2003 1:13 pm

It's just under 4 months since the original post on this thread, and I can not find anything useful on the net about managing GRSecurity under Mandrake. Well, not anything that WORKS. I have found at least 4 "incidents" (not counting my own) on mandrakeexperts.com that are related to Mandrake's version of grsec being broke, with no responses from their experts.

Today, I got a suggestion of editing my ".config" file to enable sysctl, but I can't find one of those on any of the systems involved. I just want to make it possible for apache to run a couple of CGI programs... Why does it have to be so hard?

Is there a way to manage Mandrake's version of GRSecurity without recompiling the kernel to install the latest from source?
espicom
 
Posts: 3
Joined: Wed Oct 08, 2003 12:45 pm

rpm of gradm

Postby acidpick » Fri Oct 10, 2003 2:41 pm

acidpick
 
Posts: 1
Joined: Fri Oct 10, 2003 2:39 pm

Postby espicom » Sat Oct 11, 2003 3:39 am

Thanks - I'll check them out. It's been a very frustrating 3 weeks here, since I've also been making updates to the affected program, so having Mandrake barf all over it at the same time was trying my sanity... And the near total lack of anyone willing to answer how to fix it made it maddening!

I'll check back in after I test things. I thought I'd tripped over an answer in the acl package that comes with MDK, but it doesn't do much more than chmod can do.

Jeff
espicom
 
Posts: 3
Joined: Wed Oct 08, 2003 12:45 pm

Postby PaX Team » Sat Oct 11, 2003 7:32 pm

espicom wrote:And the near total lack of anyone willing to answer how to fix it made it maddening!
maybe the following will sound a bit disappointing to you, but the fact is that grsecurity is supported on exactly one kernel version: vanilla from kernel.org. every other combination is the responsibility of the respective party who makes it (well, more or less, we do try to support some other patches as well, but only when they use the latest version which is not true for Mandrake). Mandrake's case is particularly painful as spender did try to tell them a while ago to keep using the latest versions, all in vain as you had to find it out the hard way. if the vanilla kernel is ok for you, please use it by all means, then we can actually support you, should you still run into problems.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby espicom » Wed Oct 15, 2003 2:40 pm

the fact is that grsecurity is supported on exactly one kernel version: vanilla from kernel.org.


This does not surprise me. What does surprise me, though, is that Mandrake would make anything a key part of their security model, and yet not provide any configuration utilities or even information on it...

More surprising has been the fact that it is so difficult to find help; typically, if I type the text of an error message into Google, I can find many sites that have answers to my problem. In this case, it took visits to several dozen sites to find out that "grsec" refered to "grsecurity", and a few more sites to get a link to this site.

And, for the record, it has now been 12 days since I posted my problem on mandrakeexpert.com, and it still has not been "reviewed by an expert"!
espicom
 
Posts: 3
Joined: Wed Oct 08, 2003 12:45 pm

Any progress?

Postby DCopas » Wed Dec 10, 2003 11:43 am

Hi espicom,

I came by this thread via the same tortuous path as you...frustrating google searches.

I'm wondering: what solution have you gone with since your last post? The vanilla kernel from kernel.org? The non-secure Mandrake kernel? A recompile of the secure mdk kernel?

I *used* to really dig Mandrake...until entering this world of pain with 2.4.22-10mdksecure

*sigh*
DCopas
 
Posts: 1
Joined: Wed Dec 10, 2003 11:38 am

grsecurity works very well on the 2.4.22.10/26/28mdk kernel

Postby netpython » Thu Feb 26, 2004 2:49 pm

rpm --rebuild gradm.....src.rpm does it all
doesn't mather which version off gradm you take, i recompiled the latest
which is 2.0.4mdk-something.
netpython
 
Posts: 5
Joined: Mon Jan 19, 2004 12:02 pm


Return to grsecurity support