>> grsecurity has one "feature" - if you enable sysctl support it >> starts up with most security features disabled. You must manually >> enable them using sysctl interface. > > This stuff should be done in msec, it should be done there. I guess > flepied may have the answer for that things.
I am not as sure. You can't unconditionally add them to /etc/sysctl.conf becasue they do not exist in normal kernel if you ever boot it. So you have to check on bootup if it is secur kernel. O.K. it is possible to check for /proc/sys/kernel/grsecurity ... (IIRC there was a bug that this has been created even when sysctl support has been disabled, may be it is fixed now) IMHO removing ifdef SYSCTL is much more simple. I do not say that msec should not handle it as well :) I just say that if I configure feature as enabled in kernel I expect it to _really_ be enabled. -andrey
