grsecurity forums

[piavka]

hello all.
we're trying to use grsecurity with an ipvs enabled kernel. ( ipvs 1.0.6 )
the machine is used as a realserver
we've activated grsec on learning mode, using the basic acl from the
documentation.
now, after a short time, the system starts to behave VERY strangely:
-->very important --> this happens even when we issue "gradm -D"
and grsec is not operational. not even booting helps. ( only booting to
another kernel version -> 2.4.18 + grsec 1.9.6 + ipvs 1.0.5 and disabling
grsec.)<-- <--
at first glance, all seems to b fine. BUT, several processes do not run
at all -> like apache, and others behave strangely -> ssh, telnet ...
as for apache: when we start apache, it seems to work, all logs r ok, even
an strace looks fine, but no process is found in memory!!!!
ssh: ssh works fine when we try to connect to the server directly, but
when we're trying to use the virtual server for ssh, we get no response
from sshd!!
telnet: same as ssh

several months ago, we tried to use grsec 1.9.5 on 2.4.18 (not ipvs
enabled) and encountered similar problems.

grsec was compiled with these options:
acl debugging msg
(un)mount logging
fork failur logging
time change logging
randomized pids
randomized ip ids
randomized tcp source ports
randomized rpc xids
altered ping ids
sysctl support


and the problems persists even when we disable them from
/proc//sys/kernel/grsecurity/

p.s. all our kernels r compiled with the hidden flag patch(4 arp) and the
bonding driver patch.

[piavka]

updating grsec to 1.9.7c did no good.

[spender]

are you sure your kernel is patched correctly? Does the problem happen when you're using just the grsecurity patch?

-Brad

[piavka]

I had the same problem with plain kernel 2.4.18 just patched with grsec
a couple of mounths ago. Then i thought that maybe it was problem with
grsec which will dissapear with new version. But now the same problem with
new grsec version.

[spender]

can you paste your ACL?

-Brad

[piavka]

my acl can b found at:
http://www.cs.bgu.ac.il/~piavka/temp/acl

[spender]

grsecurity can't be hiding your processes, since when grsecurity is disabled, no ACL related code is executed. Try just a clean 2.4.19 kernel with grsecurity.

-Brad

[piavka]

hello again.
i dont think u quit understood my problem:
its not that my processes r hidden, they r not there at all!!!!
anyway, just to b sure, i recompiled a vanilla 2.4.19, and viola!
i have exactly the same problems!! (-> with apache for example.)

[spender]

can you paste some logs to show what happens?

-Brad

[piavka]

hi spender,
sorry 4 the late reply.
anyway, i think i know whats wrong with apache.
take a look at this snipest from error-log:
[Mon Oct 21 13:18:27 2002] [info] mod_unique_id: using ip addr 132.72.41.61
[Mon Oct 21 13:18:28 2002] [crit] (99)Cannot assign requested address: make_sock: could not bind to address 132.72.41.50 port 80

this ip (132.72.41.50) is an alias to a bond device

i dont know why i didnt notice this b4... i let my gaurd down 4 a sec....
now, why grsec stops this bind? even when grsec is disabled?

i think the problems with sshd and telnet r the same.
any suggestions????

[piavka]

hi
the problem was with keepalived.
we resolved it, now all works fine.
thanks!!!!