В Tue, 17 Dec 2013 00:55:54 +0100 "Tóth Attila" <[email protected]> пишет:
> It turns out systemd is not compatible with CONFIG_GRKERNSEC_PROC. It has > been reported as freedesktop bug #65575. Of course if there would be a > specific group under which systemd performs its proc related activities, > that could be configured as the exception GID, but I can hardly imagine > that it is the case. Gentoo systemd wiki doesn't mention this point, > otherwise important for hardened users. Systemd dev stands his ground and > puts the period: nothing can be expected until grsecurity hits mainline. > That will obviously not happen. I understand the dev having no intentions > to support out-of-mainline features. Altering proc access significantly. > > Any of you have a workaround for systemd with grsec without completely > loosing proc restrictions? The workaround is simple: $ getent group procr procr:x:777:polkitd,... $ grep CONFIG_GRKERNSEC_PROC_GID /boot/config-3.11.9-hardened CONFIG_GRKERNSEC_PROC_GID=777 This issue was discussed in the following bug report: https://bugs.gentoo.org/show_bug.cgi?id=472098 (short summary: polkit[systemd] links with libsystemd-login.so which need access to "/proc/1") > > I'm trying real hard to be a shepherd. But this time I feel the urge - > again - to purge the remnants of the once so shiny GNOME from my systems. > > Any thoughts on this? Or rather a grsec proc config workaround? > > Thx: > Dw. -- Alexander Tsoy
