grsecurity forums

[icc]

As the subject indicates, the HPasm (health monitor, fan control, etc) doesn't work with grsec (2.6.24.5).

Startup error-output:

Code: Select all

$ /etc/init.d/hpasm start
/etc/init.d/hpasm: line 9: /etc/init.d/functions: No such file or directory
   Starting Proliant System Health Monitor (hpasmd):
Starting Foundation Agents (cmafdtn): cmathreshd cmahostd cmapeerd
   Starting Threshold agent (cmathreshd):
   Starting Host agent (cmahostd):
   Starting SNMP Peer (cmapeerd):

Starting Server Agents (cmasvr): cmastdeqd cmahealthd cmaperfd
   Starting Standard Equipment agent (cmastdeqd):
   Starting Health agent (cmahealthd):
   Starting Performance agent (cmaperfd):

Starting Storage Agents (cmastor): cmaeventd cmaidad cmafcad cmaided cmascsid cmasasd
   Starting Storage Event Logger (cmaeventd):
   Starting IDA agent (cmaidad):
   Starting FCA agent (cmafcad):
   Starting IDE agent (cmaided):
   Starting SCSI agent (cmascsid):
   Starting SAS agent (cmasasd):

The binary "/opt/compaq/foundation/bin/cmapeerd" depends on "not".
The binary "/opt/compaq/foundation/bin/cmahostd" depends on "not".
The binary "/opt/compaq/foundation/bin/cmathreshd" depends on "not".
The binary "/opt/compaq/server/bin/cmastdeqd" depends on "not".
The binary "/opt/compaq/hpasmd/bin/hpasmd" depends on "not".
The binary "/opt/compaq/hpasmd/bin/hpasmxld" depends on "not".
The binary "/opt/compaq/hpasmd/bin/hpasmchifd" depends on "not".
hpasm:  Server Management is not fully enabled

Although HPasm just seems like a bunch of poor bash scripts running daemons, it's useful for getting temperatures, controlling fans and monitoring the servers hardware. Without it all system fans is just running at 100% all the time, which is not very plesant for us geeks at the serverroom

So, has anyone got grsec working with HPasm?

For extra bonus-points, could someone explain to me why HP whould use software to control the fans instead of letting the hardware deal with it?

[cormander]

As the subject indicates, the HPasm (health monitor, fan control, etc) doesn't work with grsec (2.6.24.5).

Startup error-output:

Code: Select all

$ /etc/init.d/hpasm start
/etc/init.d/hpasm: line 9: /etc/init.d/functions: No such file or directory


What distribution of linux are you running? And is the RBAC system enabled or not?

For extra bonus-points, could someone explain to me why HP whould use software to control the fans instead of letting the hardware deal with it?

HP is a hardware company. They're having delusions of grandeur in thinking they're a software company too (which just ends up in being a crappy combination of shell scripts launching daemons )

But that's just a guess.

[icc]

Well I'm using ubuntu-server 8.04 (default is bash not dash), the kernel (2.6.24.5-grsec) is compiled with "High"-security and no RBAC. The HPasm-package is the newest debian package from HP.com (yes, they now support debian). HPasm works when the kernel isn't grsec patched. I think the problems lies in the hpasmd daemon which won't start, bash-scripts runs perfectly and there is no error output anywhere. I wonder why they wont share any info on the hpasmd daemon
I guess the only solution would be turning down the security untill I find the cause.

HPasm is very confusing, having a bunch of daemons launched by bash scripts, using snmpd and some tainted kernelmodules

[cormander]

Run it with strace:

strace -s 1000 -f -o /tmp/hpasm.strace /etc/init.d/hpasm start

After it finishes, the full strace output will be in /tmp/hpasm.strace

It'll probably be quite the big text file; if you gzip it and email it to me ( admin at ravencore dot com ) and I'll have a look at what calls are getting denied.

[icc]

Ok, for you who knows these system calls and can tell me what crashes.

Here's trace for /etc/init.d/hpasm start: hpasm.strace
Here's trace for hpasmd only: hpasmd.strace

Note, I ran /etc/init.d/hpasm stop to stop strace once it was done starting.

I've also noted that hpasm creates stuff in /dev when not running grsec, that doesn't happen with grsec!

EDIT:
Could it have something to do with lgetxattr and getxattr, since all operations fails?

Code: Select all

lgetxattr("/proc/4584/fd/10", "security.selinux", 0x806a110, 255) = -1 EOPNOTSUPP (Operation not supported)

EDIT 2:
I added some more straces. All straces from /etc/init.d/hpasm start and then /etc/init.d/hpasm stop.
Here's a report from the grsec run: hpasm-grsec-report.strace
Here's a report from non-grsec run: hpasm-working-report.strace
Here's a trace from non-grsec run: hpasm-working.strace
Maby it isn't lgetxattr after all

[PaX Team]

Ok, for you who knows these system calls and can tell me what crashes.

Here's trace for /etc/init.d/hpasm start: hpasm.strace
Here's trace for hpasmd only: hpasmd.strace

Code: Select all

5803  open("/dev/mem", O_RDWR)          = 3
5803  mmap2(NULL, 65535, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED, 3, 0xd0) = 0x51fb6000
5803  close(3)                          = 0
5803  munmap(0x51fb6000, 65535)         = 0
5803  +++ killed by SIGKILL +++


this code maps various ROM segments with access rights that won't get far under PaX/MPROTECT, better relax the restrictions (and read your kernel logs, PaX reports stuff there in cases like this).