headers
Markus Bartl | 8 Oct 14:43
Favicon

/etc/init.d/named stop hangs

Hi there.

I got the problem that stopping named hangs.
Im using hardened-sources with grsec and pax enabled.
grsec is enabled with server profile. kernel.grsecurity.chroot_caps is disabled to get dhcp running.
SELinux and RBAC are disabled.
The logfiles dont give any hint.
Any idea would be helpful.

Thanks in advance and many regards,
Markus

Permalink | Reply |
headers
brant williams | 8 Oct 17:47

Re: /etc/init.d/named stop hangs


Hallo, Markus!  Wie geht's dir?

The first place I'd look is in the syslog, while attempting to stop the 
service... also, the output of `dmesg` might show something that you 
missed... I'm not sure which system logger you use, but with the 
"hardened" USE flag enabled, syslog-ng's default config will split the 
logs into multiple files for various facilities (auth.log, kern.log, 
mail.log, etc).

Which dhcp client are you using?  I've never run it in a chroot and would 
like to try and duplicate your issue.  I just installed "net-misc/dhcpcd" 
on my grsec box, but do not see a way to run it chrooted.  Can you share 
your configuration/installation steps?

Tschuess!

brant williams
FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002

On Wed, 8 Oct 2008, Markus Bartl wrote:

> Date: Wed, 08 Oct 2008 14:45:54 +0200
> From: Markus Bartl <hardened@...>
> Reply-To: gentoo-hardened@...
> To: gentoo-hardened@...
> Subject: [gentoo-hardened] /etc/init.d/named stop hangs
> 
> Hi there.
> 
> I got the problem that stopping named hangs.
> Im using hardened-sources with grsec and pax enabled.
> grsec is enabled with server profile. kernel.grsecurity.chroot_caps is disabled to get dhcp running.
> SELinux and RBAC are disabled.
> The logfiles dont give any hint.
> Any idea would be helpful.
> 
> Thanks in advance and many regards,
> Markus
> 
> 
>
Permalink | Reply |
headers
Markus Bartl | 9 Oct 08:20
Favicon

Re: /etc/init.d/named stop hangs

brant williams schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> 
> Hallo, Markus!  Wie geht's dir?
> 
> The first place I'd look is in the syslog, while attempting to stop the 
> service... also, the output of `dmesg` might show something that you 
> missed... I'm not sure which system logger you use, but with the 
> "hardened" USE flag enabled, syslog-ng's default config will split the 
> logs into multiple files for various facilities (auth.log, kern.log, 
> mail.log, etc).
> 
> Which dhcp client are you using?  I've never run it in a chroot and 
> would like to try and duplicate your issue.  I just installed 
> "net-misc/dhcpcd" on my grsec box, but do not see a way to run it 
> chrooted.  Can you share your configuration/installation steps?
> 
> Tschuess!
> 
> 
> brant williams
> FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002
> 
> 
> 
> On Wed, 8 Oct 2008, Markus Bartl wrote:
> 
>> Date: Wed, 08 Oct 2008 14:45:54 +0200
>> From: Markus Bartl <hardened@...>
>> Reply-To: gentoo-hardened@...
>> To: gentoo-hardened@...
>> Subject: [gentoo-hardened] /etc/init.d/named stop hangs
>>
>> Hi there.
>>
>> I got the problem that stopping named hangs.
>> Im using hardened-sources with grsec and pax enabled.
>> grsec is enabled with server profile. kernel.grsecurity.chroot_caps is 
>> disabled to get dhcp running.
>> SELinux and RBAC are disabled.
>> The logfiles dont give any hint.
>> Any idea would be helpful.
>>
>> Thanks in advance and many regards,
>> Markus
>>
>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
> 
> iEYEAREIAAYFAkjs1g8ACgkQdCBnhE3rYALH1gCdFXE34cjqjiylbRn+CIp+PDMd
> GucAoKZTw3t/p5Q2nGlWSw+VpERxfp/O
> =gJqb
> -----END PGP SIGNATURE-----
> 

Hi Brant.
As mentioned in another mail, I fixed the problem.
rndc tried to open tcp port 965.
Had to accept packages from "bad-guy" localhost in iptables.

To my dhcp installation: You are running dhcpcd which is a dhcp-client.
I dont know if you can run in chrooted (never looked).

Ive installed net-misc/dhcp (dhcp server). You can define a 
chroot-directory in /etc/conf.d/dhcpd (DHCPD_CHROOT) and then run emerge 
--config dhcp.

Servus.
Markus
Permalink | Reply |
headers
pageexec | 8 Oct 17:51

Re: /etc/init.d/named stop hangs

On 8 Oct 2008 at 14:45, Markus Bartl wrote:

> Hi there.
> 
> I got the problem that stopping named hangs.
> Im using hardened-sources with grsec and pax enabled.
> grsec is enabled with server profile. kernel.grsecurity.chroot_caps is disabled 
> to get dhcp running.
> SELinux and RBAC are disabled.
> The logfiles dont give any hint.
> Any idea would be helpful.

you could strace the whole process of shutting down named and see which process
hangs in which syscall (strace -f -ff -o ...), then we can think further.
Permalink | Reply |
headers
RB | 8 Oct 17:59

Re: /etc/init.d/named stop hangs

> you could strace the whole process of shutting down named and see which process
> hangs in which syscall (strace -f -ff -o ...), then we can think further.

Markus noted on IRC that he had fixed this issue - his iptables didn't
have an allowance for 'lo', and the BIND init script has an RNDC call
that opens a local TCP socket.
Permalink | Reply |
headers
brant williams | 8 Oct 18:02

Re: /etc/init.d/named stop hangs


Well, that would explain the lack of logs...

brant williams
FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002

On Wed, 8 Oct 2008, RB wrote:

> Date: Wed, 8 Oct 2008 09:59:34 -0600
> From: RB <aoz.syn@...>
> Reply-To: gentoo-hardened@...
> To: gentoo-hardened@...
> Subject: Re: [gentoo-hardened] /etc/init.d/named stop hangs
> 
>> you could strace the whole process of shutting down named and see which process
>> hangs in which syscall (strace -f -ff -o ...), then we can think further.
>
> Markus noted on IRC that he had fixed this issue - his iptables didn't
> have an allowance for 'lo', and the BIND init script has an RNDC call
> that opens a local TCP socket.
>
>
Permalink | Reply |

Gmane