I really excited with grsecurity's RBAC system, it is really cool and secure. But one thing spoils its usage sometimes.
Modern Quake 3 engine called ioquake3 uses executable memory pages, and calls mprotect with PROT_EXEC. On system without RBAC I can easily allow it to call mprotect with this flag, by using paxctl, but not with RBAC enabled. RBAC rejects to call mprotect even when with NOMPROTECT flag stored in executable. The following message is printed:
kernel: grsec: (undine:U:/games/quake3/ioquake3.x86_64) denied executable mprotect of /dev/zero by /games/quake3/ioquake3.x86_64[ioquake3.x86_64:18001] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:18000] uid/euid:1000/1000 gid/egid:1000/1000
RBAC points to /dev/zero, but /dev/zero never opened by program.
I tried to add /dev/zero with 'rx' object flags without any luck.
How I can resolve this issue without patching ioquake3?