Dear Alexander, Thanks for pointing to this bug!
I'll give another try to systemd. A duplicate of bug 472098 also contains important information: https://bugs.gentoo.org/show_bug.cgi?id=455938 According to this bug it's enough to add polkitd to the PROC_GID group. Now I know what was my problem with gdm-3.6! It's a pity I hadn't found this bug earlier. Sorry for the noise. I'll retry systemd transition. Thanks: Dw. -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057 2013.December 17.(K) 10:23 időpontban Alexander Tsoy ezt írta: > В Tue, 17 Dec 2013 00:55:54 +0100 > "Tóth Attila" <at...@atoth.sote.hu> пишет: > >> It turns out systemd is not compatible with CONFIG_GRKERNSEC_PROC. It >> has >> been reported as freedesktop bug #65575. Of course if there would be a >> specific group under which systemd performs its proc related activities, >> that could be configured as the exception GID, but I can hardly imagine >> that it is the case. Gentoo systemd wiki doesn't mention this point, >> otherwise important for hardened users. Systemd dev stands his ground >> and >> puts the period: nothing can be expected until grsecurity hits mainline. >> That will obviously not happen. I understand the dev having no >> intentions >> to support out-of-mainline features. Altering proc access significantly. >> >> Any of you have a workaround for systemd with grsec without completely >> loosing proc restrictions? > > The workaround is simple: > > $ getent group procr > procr:x:777:polkitd,... > $ grep CONFIG_GRKERNSEC_PROC_GID /boot/config-3.11.9-hardened > CONFIG_GRKERNSEC_PROC_GID=777 > > This issue was discussed in the following bug report: > https://bugs.gentoo.org/show_bug.cgi?id=472098 > (short summary: polkit[systemd] links with libsystemd-login.so which > need access to "/proc/1") > >> >> I'm trying real hard to be a shepherd. But this time I feel the urge - >> again - to purge the remnants of the once so shiny GNOME from my >> systems. >> >> Any thoughts on this? Or rather a grsec proc config workaround? >> >> Thx: >> Dw. > > -- > Alexander Tsoy > >
