grsecurity forums

Skip to content

gradm not allowing PAX flags on subject in policy

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

gradm not allowing PAX flags on subject in policy

Postby xor » Wed Jul 12, 2006 6:44 am

Hi

I'm having a problem upgrading from grsec/gradm 2.4.31-2.1.16 to 2.4.32-2.1.18. After the upgrade, gradm will no longer enable the RBAC system but chokes on the PAX flags on subjects in the policy. (The policy has remained unchanged, btw., as have the kernel config flags). To troubleshoot the issue I invented a dummy policy:

Code: Select all
role myrole sAT {
    subject /root GXadkrv {
        /tmp rwcdx
    }
}


When I run "gradm -E" on this policy it fails with
Code: Select all
"G" caused a invalid character on line 2 of /etc/grsec/policy

When I delete the "G" the error changes to
Code: Select all
"X" caused a invalid ...
Only after deleting all PAX relevant flags does gradm successfully load the policy.

Has anyone seen this before? Do I have to enable something special when compiling gradm2?

thx
xor (clueless)
xor
 
Posts: 7
Joined: Wed Jul 12, 2006 6:15 am
Top

Postby spender » Wed Jul 12, 2006 6:47 pm

What gradm are you using? Newer gradms switched to a different, more configurable approach to setting PaX flags on a subject. It uses (+/-)PAX_SEGMEXEC, (+/-PAX_PAGEEXEC) etc instead of subject flags. The sample policy has more information on it. Also, RANDEXEC was removed some time ago from PaX and grsec, so you can no longer switch that on for binaries.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group