gmane.linux.gentoo.hardened

Markus Bartl | 6 Oct 17:00

/etc/init.d/dhcpd start -> error

Hi there.

I did a fresh installation with hardened-sources 2.6.25-r7 with pax and grsec (server) enabled.
After installing dhcpd with configuration to chroot - environment I get the following errors in /var/log/debug:

Oct 6 16:54:35 odin dhcpd: unable to create icmp socket: Operation not permitted
...
Oct 6 16:54:35 odin dhcpd: Open a socket for LPF: Operation not permitted

/var/log/grsec.log doesnt contain any hints.

Any idea would be welcome.

Kind regards,
Markus

headers

brant williams | 6 Oct 17:11

Re: /etc/init.d/dhcpd start -> error


Did you enable any chroot restrictions in the kernel config?

brant williams
FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002

On Mon, 6 Oct 2008, Markus Bartl wrote:

> Date: Mon, 06 Oct 2008 17:04:15 +0200
> From: Markus Bartl <hardened@...>
> Reply-To: gentoo-hardened@...
> To: gentoo-hardened@...
> Subject: [gentoo-hardened] /etc/init.d/dhcpd start -> error
> 
> Hi there.
> 
> I did a fresh installation with hardened-sources 2.6.25-r7 with pax and grsec (server) enabled.
> After installing dhcpd with configuration to chroot - environment I get the following errors in /var/log/debug:
> 
> Oct  6 16:54:35 odin dhcpd: unable to create icmp socket: Operation not permitted
> ...
> Oct  6 16:54:35 odin dhcpd: Open a socket for LPF: Operation not permitted
> 
> /var/log/grsec.log doesnt contain any hints.
> 
> Any idea would be welcome.
> 
> Kind regards,
> Markus
> 
> 
>

headers

Markus Bartl | 6 Oct 17:20

Re: /etc/init.d/dhcpd start -> error

brant williams schrieb:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Did you enable any chroot restrictions in the kernel config?

brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002

On Mon, 6 Oct 2008, Markus Bartl wrote:

Date: Mon, 06 Oct 2008 17:04:15 +0200
From: Markus Bartl <hardened-fI6J7lfedsq94EBAefA18BvVK+yQ3ZXh@public.gmane.org>
Reply-To: gentoo-hardened-cnFmAm88PdgLnqt3yJz4RQ@public.gmane.org
To: gentoo-hardened-cnFmAm88PdgLnqt3yJz4RQ@public.gmane.org
Subject: [gentoo-hardened] /etc/init.d/dhcpd start -> error

Hi there.

I did a fresh installation with hardened-sources 2.6.25-r7 with pax and grsec (server) enabled.
After installing dhcpd with configuration to chroot - environment I get the following errors in /var/log/debug:

Oct 6 16:54:35 odin dhcpd: unable to create icmp socket: Operation not permitted
...
Oct 6 16:54:35 odin dhcpd: Open a socket for LPF: Operation not permitted

/var/log/grsec.log doesnt contain any hints.

Any idea would be welcome.

Kind regards,
Markus

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkjqKroACgkQdCBnhE3rYAKOggCbBAS3hGsfJwn9YCRGxEyJ4lCA
mfgAnj6B8Z0uZNpSyL4/7FrWsr9iRfF+
=pYUj
-----END PGP SIGNATURE-----

Hi brant.

Yes. chroot restrictions are set and no, socket restrictions are not set.
Thanks in advance.

Markus.

headers

Roman Fulop | 6 Oct 18:06

Re: /etc/init.d/dhcpd start -> error

Hi,

I had problem running chrooted dhcp 3.1.1 with
CONFIG_GRKERNSEC_CHROOT_CAPS set. Try disabling it via sysctl or procfs.

Roman

Markus Bartl wrote:
> brant williams schrieb:
> 
> Did you enable any chroot restrictions in the kernel config?
> 
> 
> brant williams
> FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002
> 
> 
> 
> On Mon, 6 Oct 2008, Markus Bartl wrote:
> 
>>>> Date: Mon, 06 Oct 2008 17:04:15 +0200
>>>> From: Markus Bartl <hardened@...>
>>>> Reply-To: gentoo-hardened@...
>>>> To: gentoo-hardened@...
>>>> Subject: [gentoo-hardened] /etc/init.d/dhcpd start -> error
>>>>
>>>> Hi there.
>>>>
>>>> I did a fresh installation with hardened-sources 2.6.25-r7 with pax
>>>> and grsec (server) enabled.
>>>> After installing dhcpd with configuration to chroot - environment I
>>>> get the following errors in /var/log/debug:
>>>>
>>>> Oct  6 16:54:35 odin dhcpd: unable to create icmp socket: Operation
>>>> not permitted
>>>> ...
>>>> Oct  6 16:54:35 odin dhcpd: Open a socket for LPF: Operation not
>>>> permitted
>>>>
>>>> /var/log/grsec.log doesnt contain any hints.
>>>>
>>>> Any idea would be welcome.
>>>>
>>>> Kind regards,
>>>> Markus
>>>>
>>>>
>>>>
> Hi brant.

> Yes. chroot restrictions are set and no, socket restrictions are not set.
> Thanks in advance.

> Markus.

headers

Markus Bartl | 6 Oct 22:48

Re: /etc/init.d/dhcpd start -> error

Hi Roman.

That did it. Thanks.
Could anybody explain what happened there?
Thanks.

Markus

Roman Fulop schrieb:
> Hi,
>
> I had problem running chrooted dhcp 3.1.1 with
> CONFIG_GRKERNSEC_CHROOT_CAPS set. Try disabling it via sysctl or procfs.
>
> Roman
>
> Markus Bartl wrote:
>   
>> brant williams schrieb:
>>
>> Did you enable any chroot restrictions in the kernel config?
>>
>>
>> brant williams
>> FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002
>>
>>
>>
>> On Mon, 6 Oct 2008, Markus Bartl wrote:
>>
>>     
>>>>> Date: Mon, 06 Oct 2008 17:04:15 +0200
>>>>> From: Markus Bartl <hardened@...>
>>>>> Reply-To: gentoo-hardened@...
>>>>> To: gentoo-hardened@...
>>>>> Subject: [gentoo-hardened] /etc/init.d/dhcpd start -> error
>>>>>
>>>>> Hi there.
>>>>>
>>>>> I did a fresh installation with hardened-sources 2.6.25-r7 with pax
>>>>> and grsec (server) enabled.
>>>>> After installing dhcpd with configuration to chroot - environment I
>>>>> get the following errors in /var/log/debug:
>>>>>
>>>>> Oct  6 16:54:35 odin dhcpd: unable to create icmp socket: Operation
>>>>> not permitted
>>>>> ...
>>>>> Oct  6 16:54:35 odin dhcpd: Open a socket for LPF: Operation not
>>>>> permitted
>>>>>
>>>>> /var/log/grsec.log doesnt contain any hints.
>>>>>
>>>>> Any idea would be welcome.
>>>>>
>>>>> Kind regards,
>>>>> Markus
>>>>>
>>>>>
>>>>>
>>>>>           
>> Hi brant.
>>     
>
>   
>> Yes. chroot restrictions are set and no, socket restrictions are not set.
>> Thanks in advance.
>>     
>
>   
>> Markus.
>>     
>
>
>

headers

brant williams | 6 Oct 17:13

Re: /etc/init.d/dhcpd start -> error


You might also have turned on socket restrictions...

brant williams
FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002

On Mon, 6 Oct 2008, Markus Bartl wrote:

> Date: Mon, 06 Oct 2008 17:04:15 +0200
> From: Markus Bartl <hardened@...>
> Reply-To: gentoo-hardened@...
> To: gentoo-hardened@...
> Subject: [gentoo-hardened] /etc/init.d/dhcpd start -> error
> 
> Hi there.
> 
> I did a fresh installation with hardened-sources 2.6.25-r7 with pax and grsec (server) enabled.
> After installing dhcpd with configuration to chroot - environment I get the following errors in /var/log/debug:
> 
> Oct  6 16:54:35 odin dhcpd: unable to create icmp socket: Operation not permitted
> ...
> Oct  6 16:54:35 odin dhcpd: Open a socket for LPF: Operation not permitted
> 
> /var/log/grsec.log doesnt contain any hints.
> 
> Any idea would be welcome.
> 
> Kind regards,
> Markus
> 
> 
>

headers

René Rhéaume | 6 Oct 17:33

Re: /etc/init.d/dhcpd start -> error

On Mon, Oct 6, 2008 at 11:04 AM, Markus Bartl
<hardened@...> wrote:
> Hi there.
>
> I did a fresh installation with hardened-sources 2.6.25-r7 with pax and
> grsec (server) enabled.
> After installing dhcpd with configuration to chroot - environment I get the
> following errors in /var/log/debug:
>
> Oct  6 16:54:35 odin dhcpd: unable to create icmp socket: Operation not
> permitted

Look at this, http://forums.grsecurity.net/viewtopic.php?f=3&t=1882 .
It is about good old ping, also using ICMP.

headers

Clemente Aguiar | 6 Oct 18:43

Re: /etc/init.d/dhcpd start -> error

I had the same problem, check:
http://bugs.gentoo.org/show_bug.cgi?id=205695

This was with a previous version of the kernel, but the "culprit" was
the GRSEC config.

Clemente

On Mon, 2008-10-06 at 17:04 +0200, Markus Bartl wrote:
> Hi there.
> 
> I did a fresh installation with hardened-sources 2.6.25-r7 with pax
> and grsec (server) enabled.
> After installing dhcpd with configuration to chroot - environment I
> get the following errors in /var/log/debug:
> 
> Oct  6 16:54:35 odin dhcpd: unable to create icmp socket: Operation
> not permitted
> ...
> Oct  6 16:54:35 odin dhcpd: Open a socket for LPF: Operation not
> permitted
> 
> /var/log/grsec.log doesnt contain any hints.
> 
> Any idea would be welcome.
> 
> Kind regards,
> Markus
>