Re: [Vserver] hints on kernel configuration using Grsec and Vserver

From: Christian Heim <phreak_at_gentoo.org>
Date: Thu 09 Feb 2006 - 13:36:20 GMT
Message-Id: <200602091436.29697.phreak@gentoo.org>

On Wednesday 08 February 2006 18:30, TB wrote:

> #
> # Filesystem Protections
> #
> CONFIG_GRKERNSEC_PROC=y
> CONFIG_GRKERNSEC_PROC_USER=y
> CONFIG_GRKERNSEC_PROC_ADD=y
> CONFIG_GRKERNSEC_LINK=y
> CONFIG_GRKERNSEC_FIFO=y
> CONFIG_GRKERNSEC_CHROOT=y
> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
> # CONFIG_GRKERNSEC_CHROOT_DOUBLE is not set
> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
> # CONFIG_GRKERNSEC_CHROOT_CHMOD is not set
> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
> CONFIG_GRKERNSEC_CHROOT_UNIX=y
> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
> CONFIG_GRKERNSEC_CHROOT_NICE=y
> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
> # CONFIG_GRKERNSEC_CHROOT_CAPS is not set

Take a closer look at those CHROOT CONFIG's and have again a look at your
error message and you'll see it (in case you don't see it, its
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
that should be
# CONFIG_GRKERNSEC_CHROOT_MOUNT is not set

> Feb 8 17:57:05 MYHOSTNAME kernel: grsec: From MYIPADDRESS: denied mount
> of proc as /var/lib/vservers/vhost0/proc from chroot by
> /var/lib/vservers/vhost0/bin/mount[mount:28032] uid/euid:0/0 gid/egid:0/0,
> parent /var/tmp/debootstrap.mVlEp8/usr/sbin/debootstrap[debootstrap:18704]
> uid/euid:0/0 gid/egid:0/0

-- 
Christian Heim <phreak@gentoo.org>
Gentoo Linux Developer - vserver

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Received on Thu Feb 9 13:37:14 2006
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 09 Feb 2006 - 13:37:19 GMT by hypermail 2.1.8