Strange denials while switching from 2.6.20 to 2.6.21
Posted: Wed Jun 27, 2007 12:00 am
I've upgraded recently from 2.6.20-hardened-r2 to 2.6.21-hardened-r3.
Besides my sn9c102 webcam stopped working giving -ENOSPC in usb_submit_urb (aaarrgh - reported upstream), there were some lovely denials showed up.
In the mean time I've added some rules to fine-tune my laptop using the information provided by powertop.
There were denies writing /sys/module/snd_ac97_codec/parameters/power and /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor. First I thought it was a trivial mistake, but I couldn't get rid of these. While shutting down my computer I saw two more denials while the system tried to flush the routing table (/proc/sys/net/ipv4/route/flush - by /sbin/ip). These two were suprising, because I didn't touched that rule. I've double checked the whole policy for missing brackets.
Things got stranger, when I've noticed that one other machine I've upgraded showed exactly similar denials.
Now I booted 2.6.20 again, and saw, that everything is normal! The symptom is absolutely reproducible. Whenever I boot the former kernel the denials disappear, while after booting the latter they return.
My question would be:
Were there any changes regarding the handling of /proc and /sys directories between grsec-2.1.10-2.6.20.6-200704091818 and grsec-2.1.10-2.6.21.1-200705221918?
If not: are there any hints on my problem? I'm using dazuko, which is enabled only on some user's directory and working fine along with clamav's clamuko.
Regards,
Dw.
Besides my sn9c102 webcam stopped working giving -ENOSPC in usb_submit_urb (aaarrgh - reported upstream), there were some lovely denials showed up.
In the mean time I've added some rules to fine-tune my laptop using the information provided by powertop.
There were denies writing /sys/module/snd_ac97_codec/parameters/power and /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor. First I thought it was a trivial mistake, but I couldn't get rid of these. While shutting down my computer I saw two more denials while the system tried to flush the routing table (/proc/sys/net/ipv4/route/flush - by /sbin/ip). These two were suprising, because I didn't touched that rule. I've double checked the whole policy for missing brackets.
Things got stranger, when I've noticed that one other machine I've upgraded showed exactly similar denials.
Now I booted 2.6.20 again, and saw, that everything is normal! The symptom is absolutely reproducible. Whenever I boot the former kernel the denials disappear, while after booting the latter they return.
My question would be:
Were there any changes regarding the handling of /proc and /sys directories between grsec-2.1.10-2.6.20.6-200704091818 and grsec-2.1.10-2.6.21.1-200705221918?
If not: are there any hints on my problem? I'm using dazuko, which is enabled only on some user's directory and working fine along with clamav's clamuko.
Regards,
Dw.