heya,
So... it definately was a bug... which is fixed!!!
http://people.linux-vserver.org/~harry/patch-2.6.32.15-vs2.3.0.36.29.4-grsec2.1.14-20100616.diff
Try that one!
Grtzzz... (and thx for the bugreport)
Rik Bobbaers
-- http://harry.enzoverder.be
linux/unix/system/network/security/hardware admin
infrastructure architect
> On Tuesday 15 June 2010 15:18:20 you wrote:
>
>> can you please read the readme on my page:
>> http://people.linux-vserver.org/~harry/
>
> I've read that page before and I've set it accordingly:
> kernel.grsecurity.chroot_caps = 0
> kernel.grsecurity.chroot_deny_chmod = 0
> kernel.grsecurity.chroot_deny_chroot = 0
> kernel.grsecurity.chroot_deny_mount = 0
> kernel.grsecurity.chroot_findtask = 0
>
> kernel.grsecurity.chroot_deny_fchdir = 1
> kernel.grsecurity.chroot_deny_mknod = 1
> kernel.grsecurity.chroot_deny_pivot = 1
> kernel.grsecurity.chroot_deny_shmat = 1
> kernel.grsecurity.chroot_deny_sysctl = 1
> kernel.grsecurity.chroot_deny_unix = 1
> kernel.grsecurity.chroot_enforce_chdir = 1
> kernel.grsecurity.chroot_restrict_nice = 1
>
> I can disable remaining restrictions, but I don't see how it correlates
> with
> PAX catching refcount overflow. VServer starts normally, just after some
> time
> (I guess when some amount data was transmitted/received) all processes
> which
> try to do networking freeze. Then I have to restart the vserver to make it
> work again.
>
>> and while you're at it, use the latest patch for 2.6.32.15. It contains
>> some bugfixes too.
>
> The server is quite hard to approach physically, so I would like to keep
> reboots to minimum. Are there changes in vserver code or only in linux
> version?
>
> Thanks,
> Jan Pobrislo
>
Received on Wed Jun 16 10:42:10 2010