gradm2 incompatibility with gentoo amd64 and hack fix

Discuss and suggest new grsecurity features

gradm2 incompatibility with gentoo amd64 and hack fix

Postby Myron » Thu Jun 16, 2005 9:16 pm

If you run a gentoo 64-bit system with the libraries setup as follows:
/lib -> /lib64
/lib32
/lib64
/usr/lib -> /usr/lib/64
/usr/lib32
/usr/lib64

You will get an error when attempting to enable grsecurity saying "duplicate object /lib /lib64 under Subject /sbin/gradm", if you look in the /etc/grsec/policy file the subject does not exist. However by editing gradm_adm.c and removing the following lines the problem goes away:

add_proc_object_acl(current_subject, "/lib", proc_object_mode_conv("rx"), GR_FEXIST);
add_proc_object_acl(current_subject, "/usr/lib", proc_object_mode_conv("rx"), GR_FEXIST);

You need to do this under the function add_gradm_acl and the function add_gradm_pam_acl.

A more permanent fix would be before adding the acl check if the link listed is a symlink as on some (mine anyway) and if it is do not autoadd the acl as on some gentoo64 systems the /lib and the /usr/lib directory is a symlink.

Hopefully this will help someone else.
Myron
 
Posts: 2
Joined: Thu Jun 16, 2005 9:08 pm

Return to grsecurity development