Hi Sandino, Thanks for your reply. Do you have any suggestions how I can solve my problem?
More details: After (on main system - not vserver, after building kernel, compiling gradm and rebooting) # gradm -E # gradm -a Password: Could not open /proc/sys/kernel/grsecurity/acl open: Permission denied Kernel log shows this: Mar 30 09:31:47 alus2 kernel: grsec: From 192.168.1.2: use of CAP_SYS_ADMIN denied for (gradm:1374) UID(0) EUID(0), parent (bash:706) UID(0) EUID(0) (why it's denied? It never happens in grsec+gradm only) I used 2 different patches of vs+grsec: http://www.sandino.net/parches/vserver/linux-2.4.25-grsec-1.9.14-vserver-1.26.patch.gz http://www.firehead.org/~jeffrey/linux-vserver/grsecurity-1.9.14-2.4.25-vs1.26.patch and message was the same. Dariush Pietrzak, by your words it's imposible to use vs+grsec with gradm on main system? Why then there are some patches vs+grsec? I think it's very important to use ACL system - not only default grsec restrictions provided by kernel configuration. I DO NOT try to use gradm on vserver, just in main system. But there is a problem. That's why I am asking for help. Thanks, Justinas -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sandino Araico SÄnchez Sent: Monday, March 29, 2004 9:17 PM To: [EMAIL PROTECTED] Subject: Re: [Vserver] vserver + grsec + gradm problem Dariush Pietrzak wrote: >>I want to use gradm on main system, not in vserver, but as you can >>see I can't because of this error. I'm successfully running kernel >>with grsec + gradm, but I can't run vserver + grsec + gradm. >> >> > and what is strange about that? >(I'm trying to ride a bike, no problem here. I'm trying to drive a car, >still no problem. But when I'm trying to ride a bike+car I get those >mysterious erorrs....). > > At the patch level, grsecurity and vserver have been very mixable, I've had no other problems than the need to reduce chroot restrictions. I've been trying to reproduce Justina's problem with gradm but I can't reproduce it on context 0, It's only reproduceable inside a virtual server but in such case it's a desireable behaveour. > It's not that obvious how would you like to merge bike and car, same >goes for grsec and vserver. > It takes ~1 hour to integrate the .rej files and the resulting patch looks clean enough. >You can merge those, but since functionality >overlaps you have to decide either to drop one or the other in some >places, > > Functionality overlaps in some places like process vissibility which is filtered twice but I've seen no functionality conflicts other than desireable restrictions inside chroot. >or do some merging ( I used to have this car with pedals as a kid, lots >of fun, wouldn't recommend it for production environment though... ) > > > -- Sandino Araico SÃnchez -- MelÃn se comià las plumas.... _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
