Dear Harry, thanks for your quick response!
> first thing... vserver uses capabilities... so you should make sure you disable capability restrictions, otherwise, your vservers will not work... ...I built a new kernel, using the snippet of your configuration, with some minor changes around the Chroot-options with regard to http://linux-vserver.org/grsecurityHowto -- now it the relevant part looks like this: # # Linux VServer # CONFIG_VSERVER_LEGACY=y # CONFIG_VSERVER_LEGACY_VERSION is not set CONFIG_VSERVER_DYNAMIC_IDS=y # CONFIG_VSERVER_NGNET is not set CONFIG_VSERVER_COWBL=y CONFIG_VSERVER_PROC_SECURE=y # CONFIG_VSERVER_HARDCPU is not set # CONFIG_INOXID_NONE is not set # CONFIG_INOXID_UID16 is not set # CONFIG_INOXID_GID16 is not set CONFIG_INOXID_UGID24=y # CONFIG_INOXID_INTERN is not set # CONFIG_INOXID_RUNTIME is not set # CONFIG_XID_TAG_NFSD is not set # CONFIG_XID_PROPAGATE is not set CONFIG_VSERVER_DEBUG=y CONFIG_VSERVER_HISTORY=y CONFIG_VSERVER_HISTORY_SIZE=64 # # Security options # # # PaX # CONFIG_PAX=y # # PaX Control # # CONFIG_PAX_SOFTMODE is not set CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set # # Non-executable pages # CONFIG_PAX_NOEXEC=y # CONFIG_PAX_PAGEEXEC is not set CONFIG_PAX_SEGMEXEC=y # CONFIG_PAX_EMUTRAMP is not set CONFIG_PAX_MPROTECT=y # CONFIG_PAX_NOELFRELOCS is not set CONFIG_PAX_KERNEXEC=y # # Address Space Layout Randomization # CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y CONFIG_PAX_NOVSYSCALL=y # # Grsecurity # CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MEDIUM is not set # CONFIG_GRKERNSEC_HIGH is not set CONFIG_GRKERNSEC_CUSTOM=y # # Address Space Protection # CONFIG_GRKERNSEC_KMEM=y # CONFIG_GRKERNSEC_IO is not set CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_HIDESYM=y # # Role Based Access Control Options # # CONFIG_GRKERNSEC_ACL_HIDEKERN is not set CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 # # Filesystem Protections # CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USER=y CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y # CONFIG_GRKERNSEC_CHROOT_DOUBLE is not set CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y # CONFIG_GRKERNSEC_CHROOT_CHMOD is not set CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y # CONFIG_GRKERNSEC_CHROOT_CAPS is not set # # Kernel Auditing # # CONFIG_GRKERNSEC_AUDIT_GROUP is not set # CONFIG_GRKERNSEC_EXECLOG is not set CONFIG_GRKERNSEC_RESLOG=y # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set CONFIG_GRKERNSEC_AUDIT_MOUNT=y # CONFIG_GRKERNSEC_AUDIT_IPC is not set CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y # CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set # # Executable Protections # CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_SHM=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_RANDPID=y # CONFIG_GRKERNSEC_TPE is not set # # Network Protections # CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_RANDSRC=y # CONFIG_GRKERNSEC_SOCKET is not set # # Sysctl support # CONFIG_GRKERNSEC_SYSCTL=y CONFIG_GRKERNSEC_SYSCTL_ON=y # # Logging Options # CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4 # CONFIG_KEYS is not set # CONFIG_SECURITY is not set PAX is not running in soft mode, as there are no PAX-rules defined at this time. Nevertheless the same error occurs while trying to create a virutal server: Feb 8 17:57:05 MYHOSTNAME kernel: grsec: From MYIPADDRESS: denied mount of proc as /var/lib/vservers/vhost0/proc from chroot by /var/lib/vservers/vhost0/bin/mount[mount:28032] uid/euid:0/0 gid/egid:0/0, parent /var/tmp/debootstrap.mVlEp8/usr/sbin/debootstrap[debootstrap:18704] uid/euid:0/0 gid/egid:0/0 Has any of the Grsec-Options to be considered as the reason? thanks, once again, Thorsten -- Thorsten Büker * Bärenstr. 19-21 / WG 3106 * D-52064 Aachen +49 (241) 8865315 * +49 (163) 2572057 * http://bueker.net _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
