grsecurity forums

[skylearner]

Hi

I have 2.6.33.5 kernel I have obtained the same patch of grsecurity 2.6.33.5. I have patched my kernel and rebooted my system into the new grsecurity patch kernel 2.6.33.5. when I do a uname -a i get the following output

Code: Select all

Linux osnbld3 2.6.33.5-grsec #1 SMP Wed Jul 20 11:46:56 IST 2011 x86_64 x86_64 x86_64 GNU/Linux


Now when I am trying to install gradm I did make it succeeded without any errors, when I do make install I am getting an issue

Code: Select all

[root@osnbld3 gradm2]# make install
Installing gradm...
Installing gradm_pam...
Installing grlearn...
Installing gradm manpage...
Could not open /dev/grsec.
open: No such device or address

make: *** [install] Error 1



I am doing this on Fedora 12 base kernel is 2.6.31.5. I faced this problem with the base kernel and even 2.6.33.5

Please help

PS : I need to apply another patch to my kernel (RT patch) and this patch is not available for any of the releases of 2.6.32.x hence I had to choose either or the above kernel.

Thanks in advance

[specs]

For 2.6 kernels, we currently maintain a stable version of the patch against the 2.6.32 stable tree. The 2.6.32 stable tree is supported by a number of major vendors.

http://grsecurity.net/download_stable.php

If you combine different sets of patches you should find out who will support your kernel (if anyone does).
Just for information: the grsecurity-2.6.33.x.patch was developped for the 2.2.0-version of gradm or older. These versions have been replaced for quite some time now.

You should consider using a newer kernel _and_ the most recent matching version of gradm.

[PaX Team]

PS : I need to apply another patch to my kernel (RT patch) and this patch is not available for any of the releases of 2.6.32.x hence I had to choose either or the above kernel.

it seems that there will be a new -rt patch for 3.0 so you can use grsec with that kernel when it comes out.

[skylearner]

Hi,

My application needs to have the real time behavior and also provide Role Based Access Control. For the real time behavior I need to patch my kernel with RT patch.

My kernel version is linux 2.6.31.6 (for this kernel I could find both RT patch and Grsecurity patch ). The RT patch is used is

patch-2.6.31.6-rt19

from http://www.kernel.org/pub/linux/kernel/projects/rt/ and the Grsecurity patch

grsecurity-2.1.14-2.6.31.6-200912051443.patch

I have initially applied the RT patch and then applied grsecurity patch. It ended up the few error here are excerpts of two of them

Code: Select all


patching file linux-2.6.31.6/arch/x86/kernel/kprobes.c
Hunk #4 FAILED at 459.
1 out of 7 hunks FAILED -- saving rejects to file linux-2.6.31.6/arch/x86/kernel/kprobes.c.rej

patching file linux-2.6.31.6/arch/x86/mm/gup.c
patching file linux-2.6.31.6/arch/x86/mm/highmem_32.c
Hunk #1 FAILED at 43.
1 out of 1 hunk FAILED -- saving rejects to file linux-2.6.31.6/arch/x86/mm/highmem_32.c.rej



Please let me know how to go about it.

Thanks

PS : For the my requirement I cannot go for kernel 3.0 version

[skylearner]

PS : I need to apply another patch to my kernel (RT patch) and this patch is not available for any of the releases of 2.6.32.x hence I had to choose either or the above kernel.

it seems that there will be a new -rt patch for 3.0 so you can use grsec with that kernel when it comes out.

as per this information I need to understand few things,
1) I have looked for kernel 3.0, I could also get a RT patch for the same kernel, but could not get grsecurity patch for the same version if it is available where will i get it ??.

2) Does the above information mean that kernel 3.0 is going to have grsecurity merged in the kernel source itself or is it going to have RT facility merged in the source itself.

3) If that is not the case if these are going to be two different patches then how do we solve the issue of putting them together.

Thanks

[PaX Team]

I have initially applied the RT patch and then applied grsecurity patch. It ended up the few error here are excerpts of two of them

Code: Select all


patching file linux-2.6.31.6/arch/x86/kernel/kprobes.c
Hunk #4 FAILED at 459.
1 out of 7 hunks FAILED -- saving rejects to file linux-2.6.31.6/arch/x86/kernel/kprobes.c.rej

patching file linux-2.6.31.6/arch/x86/mm/gup.c
patching file linux-2.6.31.6/arch/x86/mm/highmem_32.c
Hunk #1 FAILED at 43.
1 out of 1 hunk FAILED -- saving rejects to file linux-2.6.31.6/arch/x86/mm/highmem_32.c.rej



Please let me know how to go about it.

rejects mean that you'll have look at the failing chunks and manually resolve them (and in general, it's a good idea to read through the fuzzily applied chunks too, or use patch -F0).

[PaX Team]

1) I have looked for kernel 3.0, I could also get a RT patch for the same kernel, but could not get grsecurity patch for the same version if it is available where will i get it ??.

we're still working on it (there's some amd64 regression that needs time to track down).

2) Does the above information mean that kernel 3.0 is going to have grsecurity merged in the kernel source itself or is it going to have RT facility merged in the source itself.

neither . it just means that one of your constraints for not using the latest grsec goes/went away.

3) If that is not the case if these are going to be two different patches then how do we solve the issue of putting them together.

well, that's what programmers are for . i personally have no time or interest in the -rt tree, so you'll have to find someone else to do the work for you (and if you stick to .31, i'd still suggest to backport the .32-grsec patch as it's being maintained and has lots of new fixes and features since .31-grsec).

[melco]

I have exactly the same issue.
System: CentOS 6
Kernel: 2.6.32.45 (git)
Patch: grsecurity-2.2.2-2.6.32.45-201108172006.patch
gradm: gradm-2.2.2-201108142019.tar.gz

Output:

Code: Select all

[root@cent6 gradm2]# gradm -S
Could not open /dev/grsec.
open: No such device or address

Any ideas?

[spender]

You can't run gradm without running a grsecurity kernel. The device /dev/grsec needs to exist as well. If you installed through make install, it should have both created the device and set up the proper udev entry for it to be created at startup.

-Brad

[melco]

Forgot to mention that I'm actually booted grsec-patched kernel with selinux=0 option

Code: Select all

[root@cent6 src]# uname -a
Linux cent6.localdomain 2.6.32.45-grsec #1 SMP Thu Aug 18 12:25:02 EEST 2011 x86_64 x86_64 x86_64 GNU/Linux

Code: Select all

[root@cent6 gradm2]# make install
Installing gradm...
Installing grlearn...
Installing gradm manpage...
isntalling...
Could not open /dev/grsec.
open: No such device or address

make: *** [install] Error 1
[root@cent6 gradm2]# ls -la /dev/grsec
crw--w--w- 1 root root 1, 13 Aug 18 17:06 /dev/grsec

[spender]

If it still doesn't work when running a grsecurity kernel, check to make sure you didn't enable the option in the kernel config to disable RBAC: CONFIG_GRKERNSEC_NO_RBAC.

-Brad

[melco]

Yes, it's the reason. You are right