2014.Június 8.(V) 01:13 időpontban Alex Efros ezt írta: > Hi! > > On Sat, Jun 07, 2014 at 11:48:53PM +0200, "Tóth Attila" wrote: >> > Some time ago I noticed this in kernel logs: >> > kern.alert: grsec: denied RWX mmap of <anonymous mapping> by >> > /usr/lib64/python-exec/python2.7/layman[layman:9717] uid/euid:0/0 >> > gid/egid:0/0, parent /bin/bash[sh:9695] uid/euid:0/0 gid/egid:0/0 >> > Looks like it doesn't break layman, but I still wonder why it happens >> and >> > is it possible to fix this (without paxmarking python, of course)? >> I don't see this in my logs. The python executable has the "E" flag on >> my >> systems. > > I've just re-emerged both pythons, here is flags: > > # paxctl-ng -v /usr/bin/python?.? > /usr/bin/python2.7: > PT_PAX : -e--- > XATTR_PAX : -E--- > > /usr/bin/python3.3: > PT_PAX : -e--- > XATTR_PAX : -E--- > > Next, I've run eix-sync and get this in kernel log: > > 2014-06-07_23:07:50.51597 kern.alert: grsec: denied RWX mmap of <anonymous > mapping> by /usr/lib64/python-exec/python2.7/layman[layman:3854] > uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:3830] uid/euid:0/0 > gid/egid:0/0 > 2014-06-07_23:07:50.82796 kern.alert: grsec: denied RWX mmap of <anonymous > mapping> by /usr/bin/python3.3[emerge:3977] uid/euid:0/0 gid/egid:0/0, > parent /bin/bash[sh:3830] uid/euid:0/0 gid/egid:0/0 > 2014-06-07_23:07:56.00097 kern.alert: grsec: denied RWX mmap of <anonymous > mapping> by /usr/bin/python3.3[egencache:4009] uid/euid:0/0 gid/egid:0/0, > parent /bin/bash[sh:3830] uid/euid:0/0 gid/egid:0/0 > 2014-06-07_23:07:56.39894 kern.alert: grsec: denied RWX mmap of <anonymous > mapping> by /usr/bin/python3.3[egencache:4028] uid/euid:0/0 gid/egid:0/0, > parent /bin/bash[sh:3830] uid/euid:0/0 gid/egid:0/0 > > # cat /etc/eix-sync.conf > * > @egencache --repo=powerman --update > @egencache --repo=local --update
As you can see, your PT_PAX and XATTR_PAX flags are not consistent. The XATTR_PAX flag holds the correct value, the PT_PAX flag is not OK. Pleas issue the following commands and retry running layman or eix-sync: paxctl-ng -f /usr/bin/python2.7 paxctl-ng -f /usr/bin/python3.3 "-f" sets the PT_PAX field according to the XATTR_PAX flags. How your system behaves in case of inconsistent PAX flags also depends on your kernel configuration. Although the behavior is not as I would expect in my experience. BR: Dw. -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057 > > -- > WBR, Alex. >
