grsecurity forums

[mily]

Hi everybody.
I'm using new kernel with GrSec and I have a problem with it.

To activate grsec, I need to type gradm -E, but I want to start it automatically when system boots-up. It's no problem. I've added it into runlevel. Now it starts automatically and works very nice.

But i'm typing shutdown -r now and ..... System hang up, system cannot unload modules, cannot unmount / and cannot stop services . Yeah, it's possible to reboot computer, by typing gradm -D before every shutdown, but i don't want to type password everytime, when I want to shutdown system.

Is it posiible to reboot system without stopping GrSecurity ??

[Xerxes83]

I am also interested in this, since my system won't shutdown while Grsecurity is activated. And disabling Grsecurity before shutting down the system defeats the purpose of using a RBAC system... you just make an exploit that does all the bad stuff when it receives a KILL signal.

[majuri]

I have exactly the same problem, if I run reboot from console, system will start shutdown, but RBAC won't get disabled, and system wont boot.

Funny thing is that sshd doesn't get disabled. And Im still able to login via ssh, auth myself to admin, and run reboot. And if I run reboot via ssh, RBAC enabled, system will boot.

[schmeggahead]

I set the system for full learning and shutdown the system
I set the system for full learning and restarted the system
I generated the roles for each and combined

I'm in the process of testing it.
I would be interested in your run script that starts gradm -E
Did you run it in boot level and where is it in relation to when sysctl is executed?
I would think that there is a potential for exploit prior to the running of the init script, so was interested in where you placed it (before others run, etc.)

I would think you would have to start with the script set to full learning on boot to get a viable policy set for startup.