[grsec] Bind segfaults on restart linux-2.4.29-2.1.1

John Barton jbarton at technicalworks.net
Mon Feb 21 14:57:28 EST 2005 

I have seen a few messages posted about this in the forums, but no 
suggestions on the cause of the problem. I am running 2.4.29 with  
grsecurity-2.1.1-2.4.29-200501231159.patch on a fresh installation of 
CentOS 3.4 ( A rebuild of RedHat Enterprise 3). Once I boot onto my 
grsecurity-enabled kernel, bind continues to segfault and will not 
start. Any ideas would be helpful, this is a backup server so I can help 
test any proposed solutions if needed..

I get the following message on the command line:

[root at server2 root]# /etc/init.d/named stop
Stopping named: /etc/init.d/named: line 139: 11632 Segmentation 
fault      /usr/sbin/rndc stop >/dev/null 2>&1
                                                           [FAILED]
[root at server2 root]# /etc/init.d/named start
Starting named:                                            [  OK  ]
[root at server2 root]# /etc/init.d/named status
/etc/init.d/named: line 139: 15702 Segmentation fault      
/usr/sbin/rndc status

My grsec config is as follows:
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# PaX Control
#
# CONFIG_GRKERNSEC_PAX_SOFTMODE is not set
# CONFIG_GRKERNSEC_PAX_EI_PAX is not set
# CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS is not set
# CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS is not set
CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS=y
# CONFIG_GRKERNSEC_PAX_HOOK_ACL_FLAGS is not set

#
# Address Space Protection
#
# CONFIG_GRKERNSEC_PAX_NOEXEC is not set
# CONFIG_GRKERNSEC_PAX_ASLR is not set
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
# CONFIG_GRKERNSEC_BRUTE is not set
# CONFIG_GRKERNSEC_HIDESYM is not set

#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
# CONFIG_GRKERNSEC_PROC is not set
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_CHROOT is not set

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
# CONFIG_GRKERNSEC_FORKFAIL is not set
# CONFIG_GRKERNSEC_TIME is not set
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
# CONFIG_GRKERNSEC_EXECVE is not set
# CONFIG_GRKERNSEC_SHM is not set
# CONFIG_GRKERNSEC_DMESG is not set
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

More information about the grsecurity mailing list