grsecurity forums

hi,

Ive tried several forums and howto page but i still get this error when i started ipsec.

grsec: signal 11 sent to plutorun

I was told that i perhaps had an option in my kernel that killed ipsec. Is there someone that knows how to solve it?

Thnx

PowerEdge wrote:grsec: signal 11 sent to plutorun

I was told that i perhaps had an option in my kernel that killed ipsec. Is there someone that knows how to solve it?

you have to provide more information such as your kernel/grsec versions, kernel's .config (grsec options at least), ACLs (if you use them) and possibly an strace log to see what the app was doing before it segfaulted, etc. you can also try to disable groups of options in grsec, try with the PaX related options first, then if it doesn't help see others. in any case, report back the results so that someone can try to reproduce/fix it. by the way, signal 11 is SIGSEGV, not SIGKILL, so it does look like an application bug which is triggered by one of the grsec restrictions, question is of course which one...

i have an 2.4.22 kernel freeswan 2.02
grsec kernel options

Code: Select all

#
# Address Space Protection
#
CONFIG_GRKERNSEC_PAX_NOEXEC=y
CONFIG_GRKERNSEC_PAX_PAGEEXEC=y
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
# CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set
# CONFIG_GRKERNSEC_PAX_MPROTECT is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_PAX_RANDEXEC=y
# CONFIG_GRKERNSEC_KMEM is not set
CONFIG_GRKERNSEC_IO=y
CONFIG_RTC=y
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
# CONFIG_GRKERNSEC_HIDESYM is not set

#
# ACL options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=4
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_CHROOT is not set

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y

#
# Executable Protections
#
# CONFIG_GRKERNSEC_EXECVE is not set
CONFIG_GRKERNSEC_DMESG=y
# CONFIG_GRKERNSEC_RANDPID is not set
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
# CONFIG_GRKERNSEC_RANDID is not set
# CONFIG_GRKERNSEC_RANDSRC is not set
# CONFIG_GRKERNSEC_RANDRPC is not set
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4


At first i had an usb modem for my dsl line with ppp0 etc. But since i have an ethernet modem i could get ipsec funtion anymore.

I hpe this is more helpful?