Re: [gentoo-hardened] denied RWX mmap by layman

2014-06-08 Thread Tóth Attila
2014.Június 8.(V) 01:13 időpontban Alex Efros ezt írta: > Hi! > > On Sat, Jun 07, 2014 at 11:48:53PM +0200, "Tóth Attila" wrote: >> > Some time ago I noticed this in kernel logs: >> > kern.alert: grsec: denied RWX mmap of by >> > /usr/lib64/python-exec/python2.7/layman[layman:9717] uid/eui

Re: [gentoo-hardened] denied RWX mmap by layman

2014-06-08 Thread Tóth Attila
2014.Június 8.(V) 02:55 időpontban Anthony G. Basile ezt írta: > On 06/07/14 17:48, "Tóth Attila" wrote: >> 2014.Június 7.(Szo) 23:22 időpontban Alex Efros ezt írta: >>> Some time ago I noticed this in kernel logs: >>> kern.alert: grsec: denied RWX mmap of by >>> /usr/lib64/python-exec/p

Re: [gentoo-hardened] denied RWX mmap by layman

2014-06-08 Thread Alex Efros
Hi! On Sun, Jun 08, 2014 at 10:31:58AM +0200, "Tóth Attila" wrote: > > When running with a pax kernel, you must enable EMUTRAMP in your Kconfig > > and you must paxmark your python exe's with E. Note: EMUTRAMP is on by > > default and the ebuild automatically does the markings for you, so leave >

Re: [gentoo-hardened] hardened-sources wrt CVE-2014-3153 and CVE-2014-0196

2014-06-08 Thread Alexander Tsoy
В Sat, 07 Jun 2014 09:07:23 -0400 "Anthony G. Basile" пишет: > Hi everyone, > > This is one of those rare situations where there are enough serious > bugs against the kernel that we may have to rapid stabilize > hardened-sources-3.2.59-r5 and 3.14.5-r2. These are currently marked > ~ because I

Re: [gentoo-hardened] denied RWX mmap by layman

2014-06-08 Thread Anthony G. Basile
On 06/08/14 04:31, "Tóth Attila" wrote: 2014.Június 8.(V) 02:55 időpontban Anthony G. Basile ezt írta: On 06/07/14 17:48, "Tóth Attila" wrote: 2014.Június 7.(Szo) 23:22 időpontban Alex Efros ezt írta: Some time ago I noticed this in kernel logs: kern.alert: grsec: denied RWX mmap of by

Re: [gentoo-hardened] denied RWX mmap by layman

2014-06-08 Thread Tóth Attila
2014.Június 8.(V) 15:22 időpontban Anthony G. Basile ezt írta: > On 06/08/14 04:31, "Tóth Attila" wrote: >> 2014.Június 8.(V) 02:55 időpontban Anthony G. Basile ezt írta: >>> On 06/07/14 17:48, "Tóth Attila" wrote: 2014.Június 7.(Szo) 23:22 időpontban Alex Efros ezt írta: > Some time ago I

[gentoo-hardened] setting up pvgrub on a xen based vps

2014-06-08 Thread Jonathan Aquilina
Good evening everyone, I am trying to harden a vps further by setting up PAX grsec and SEL. Currently the vps is using the hosts kernel. My provider has documentation on how to do this but not on how to do it on gentoo. I have been told i need the grub legacy format menu.lst. Is there a way I can

Re: [gentoo-hardened] denied RWX mmap by layman

2014-06-08 Thread Alex Efros
Hi! On Sun, Jun 08, 2014 at 07:41:51PM +0200, "Tóth Attila" wrote: > Alex reported correct XATTR marking and incorrect PT marking. He also > told, that he disabled PT support in his kernel config. He was affected by > the issue, but it's not clear for me: whether disabling PT support in > kernel s