grsecurity forums

[leonardogyn]

Hi,

i'm trying to compile a grsecurity enabled kernel on a CentOS 5.3 box, but i'm not getting it because compile fails on binutils check. It says i cannot compile a PaX enabled kernel on binutils 2.17 .... but there's not yet binutils 2.18 to CentOS/RHEL.

is there any workaround to that ?

Thanks.

[specs]

Install binutils form the sources.

You could install them on a alternative location like /usr/local but you've got to make sure you use them during kernel-compiling.
The best way would be using the sources to build your own rpm. After building you kan install it without breaking packages.
With the next upgrade you simply replace the package with a recent version of binutils.

Other alternative would be using an up-to-date workstation to compile the kernels and install those on the CentOS box.
Make sure the kernel is build to fit the target system.

[leonardogyn]

searching here on the forum, i found a user that has some RPMs for RHEL5 ....

http://rpm.cormander.com/repo/rouge-ber ... 6_64/RPMS/

there's binutils 2.18 on his repo ... i upgraded CentOS 5.3 with the ones found on the repo and things worked !!!!

dont need for installing on a different place .... and things seems to be working pretty well after the upgrade. i have compiled several things, including kernel and PHP, and everything is working just fine.

[cormander]

Glad it helped be advised that the URL of that repo is subject to change here in the near future as I reorginize stuff.

I also have kernel-grsec rpms if you don't oppose the compiled config options and don't want to build the kernel yourself. The repo is actually on the grsecurity website here:

http://grsecurity.net/packages.php

(and is in my signature, of course)

[leonardogyn]

yes, thanks for the binutils RPMs. They sure helped.

i have bookmarked your repo and took a local copy of the binutils ones

thank you very much

[tellner]

Thanks very much for the RPMS, Cormander. It's all good now.

Well, almost all good.
X won't start, and looking at /var/log/messages yields
"grsec denied use of ioperm() by /usr/bin/Xorg[Xorg:4650] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/gdm-binary..."

error, and X won't start. I'm guessing that it's the same issue as this topic: viewtopic.php?f=3&t=1654
and that the RPMs were created with CONFIG_GRKERNSEC_IO set

Do you have a version lying around which is tweaked to permit the X Server to run? My experience building and compiling kernels is the thin end of nothing, and the first attempts at patching the default CentOS kernel and building from the latest 2.6 kernel with menuconfig both ended disastrously.

[cormander]

I'm taking the advice of spender here and from here on out I'll keep the CONFIG_GRKERNSEC_IO turned off, so new RPMs built after today won't have this problem.

If you're interested in the build system I'm setting up to make these easier to maintain, I've got a CI environment running here:

http://build.cormander.com/

It's not producing RPM files yet, but will be shortly.