[grsec] Fedora Core 3 + kernel 2.6.10 + as2 + grsec 2.1.1 == yum problem

John Logsdon j.logsdon at quantex-research.com
Tue Feb 1 09:56:44 EST 2005 

Mauro and list

You will have to chpax -ps some of the files until the problem goes away.
It is because they do silly things like try and execute things from the
stack.

Don't forget that while you can alter the PaX flag settings from gradm (ie
using the subject flags P, S etc) when running grsec, the PaX part of
grsec+PaX is still running even when grsec is disabled.  This is the
cause.  You can also use paxctl which is the recommended program and has
the same arguments but my kernel options are a little old!

I have a little script called chpax-all.sh which runs from rc.local on
bootup and reads from /etc/grsec/chpax-list.  Examples in my current list
include:

/usr/bin/rpm2cpio,-ps,gs added 26/1/05 because rpm doesn't work 
/usr/lib/rpm/rpmq,-ps,JL added 4/1/05 because rpm doesn't work 
/usr/lib/rpm/rpmd,-ps,gs added 26/1/05 because rpm doesn't work 
/usr/bin/python,-ps,JL added 11/1/05 to enable yum to work

There are other things as well that are specific to my hardware (Dell) -
the clue is to look in the logs and work backwards.

Note that for services, you will probably need to stop the service to
apply this so rc.local may not be the appropriate place - put it is
/etc/rc3.d/ with an appropriate S and K number so it is called in the
right order.  I guess the K number doesn't matter too much!

The script is:

#!/bin/sh 
awk -F, '{print  "chpax " $2 " " $1}' /etc/grsec/chpax-list | sh

which you can place for example in /sbin.

This should fix it for you.  Obviously change to paxctl if appropriate.

Best wishes

John

John Logsdon                               "Try to make things as simple
Quantex Research Ltd, Manchester UK         as possible but not simpler"
j.logsdon at quantex-research.com              a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com


On Tue, 1 Feb 2005, Mauro Faccenda wrote:

> Hi folks,
> 
> I'm trying to make a basic setup with a Fedora Core 3, kernel 2.6.10 + 
> as2 patches + grsec 2.1.1.
> 
> Everything seemed to be fine, with the setup I did, but yum doesn't 
> work, so I can't make the security updates from the Fedora team with 
> yum's help.
> 
> The error that I get when I try to run 'yum update' (or with any other 
> parameter) is:
> 
> 
> # yum update
> Traceback (most recent call last):
>    File "/usr/bin/yum", line 6, in ?
>      import yummain
>    File "/usr/share/yum-cli/yummain.py", line 23, in ?
>      import yum
>    File "/usr/lib/python2.3/site-packages/yum/__init__.py", line 21, in ?
>      import rpm
> ImportError: libbeecrypt.so.6: cannot enable executable stack as shared 
> object requires: Permission denied
> 
> There's no entry in the syslog, neither in terminals when yum is executed.
> 
> Any tip?
> 
> Thanks in advance,
> 	Mauro
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
>

More information about the grsecurity mailing list