[gentoo-dev] new gentoo-sources kernels (r5+)

[gentoo-dev] new gentoo-sources kernels (r5+)

[Burton Samograd]

[-- Attachment #1: Type: text/plain, Size: 906 bytes --]

Hi,

Is it just me, or are the new gentoo-sources unusable?  I just went
through hell trying to get one of them to boot with absolutely no
sucess.  I kept getting "Cannot find init errors" to "* respawning too
quickly" to whatever you could think of.  I've never had this many
problems with installing a kernel in my life, and I'm wondering if I'm
doing something dreadfully wrong or if these new sources are just
really unstable with all the patches installed.

Just to let you know, i'm not experiencing newbie mistakes as i've
been using linux for over 8 years and never had a kernel not boot
unless it was something stupid on my part.  I did everything in my
experience to get these darn things working and well...they just don't
for me.  Anybody else having problems like this?

Oh, and the linux-beta sources also won't boot either, but those are
beta and i don't expect anything from them :)

burton

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] new gentoo-sources kernels (r5+)

[tprado]

I haven't had any problems with the gentoo kernel sources.  I have r9 on 
a couple machines.  r7 on another and a custom ACPI enabled kernel 
(http://sourceforge.net/projects/acpi) on my laptop based off the 
vanilla 2.4.19 (with 2.4.20-pre5 patched in).  

It sounds like you're probably making a simple mistake somewhere in your 
kernel upgrade somewhere.  

My usual kernel install procedure is:

#cd /usr/portage/sys-kernel/...
#ebuild <insert kernel ebuild version here> merge      (so it won't 
unmerge any older ones)
#cd /usr/src/linux-<version>
#cp /usr/src/linux/.config .
#make oldconfig
#make dep && make clean bzImage modules modules_install
#cp arch/i386/boot/bzImage /boot/gentoo<version>-<my-build#>.img
#cp System.map /boot/System.map-<version>-<my-build#>
#cd /usr/src
#rm linux
#ln -s linux-<version> linux
#cd /boot
#rm System.map
#ln -s System.map-<version>-<my-build#> System.map
edit /etc/lilo.conf for the new version (okay, I still use lilo :-)
#lilo
#shutdown -r now  

Wow, I actually do all that? I've never written it all down before :-)

I don't have /boot in it's own partition in my setup...

It's gonna be something silly, I'm sure :-)

Good luck,
Tom


Burton Samograd wrote:

>Hi,
>
>Is it just me, or are the new gentoo-sources unusable?  I just went
>through hell trying to get one of them to boot with absolutely no
>sucess.  I kept getting "Cannot find init errors" to "* respawning too
>quickly" to whatever you could think of.  I've never had this many
>problems with installing a kernel in my life, and I'm wondering if I'm
>doing something dreadfully wrong or if these new sources are just
>really unstable with all the patches installed.
>
>Just to let you know, i'm not experiencing newbie mistakes as i've
>been using linux for over 8 years and never had a kernel not boot
>unless it was something stupid on my part.  I did everything in my
>experience to get these darn things working and well...they just don't
>for me.  Anybody else having problems like this?
>
>Oh, and the linux-beta sources also won't boot either, but those are
>beta and i don't expect anything from them :)
>
>burton
>

Re: [gentoo-dev] new gentoo-sources kernels (r5+)

[Burton Samograd]

[-- Attachment #1: Type: text/plain, Size: 441 bytes --]

On Tue, Sep 17, 2002 at 11:53:45PM -0400, tprado wrote:

> It sounds like you're probably making a simple mistake somewhere in your 
> kernel upgrade somewhere.  
> 

Acutally, it turns out it was that fancy new GrSecurity setting (I had
it set to med thinking that would be ok).  Maybe someone could update
the install docs saying to keep it at low or off, since gentoo doesn't
seem to be able to work with it any higher.

burton

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] new gentoo-sources kernels (r5+)

[Toby Dickenson]

On Wednesday 18 Sep 2002 4:52 pm, Burton Samograd wrote:
> On Tue, Sep 17, 2002 at 11:53:45PM -0400, tprado wrote:
> > It sounds like you're probably making a simple mistake somewhere in your
> > kernel upgrade somewhere.
>
> Acutally, it turns out it was that fancy new GrSecurity setting (I had
> it set to med thinking that would be ok).  

Ive seen that before. I also had alot of GrSecurity log messages mixed in with 
those error message, which gave a good clue about the cause of the problem. 
Did you not have that?

> Maybe someone could update
> the install docs saying to keep it at low or off, since gentoo doesn't
> seem to be able to work with it any higher.

I think my problems were caused by the extra chroot checks fouling on an 
initrd boot environment. Everything worked fine once I turned on GrSecurity's 
'use a sysctl' option, so all its extra checks are turned off at boot.

Re: [gentoo-dev] new gentoo-sources kernels (r5+)

[Mike Lundy]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 18 September 2002 11:52, Burton Samograd wrote:
> Acutally, it turns out it was that fancy new GrSecurity setting (I had
> it set to med thinking that would be ok).  Maybe someone could update
> the install docs saying to keep it at low or off, since gentoo doesn't
> seem to be able to work with it any higher.

Don't enable grsecurity without reading exactly what you're enabling- using 
it, you can deny certain capabilities to certain daemons, which could cause 
your system to do weird things. I personally use the custom level and select 
stuff manually. It's safer that way- I want to know exactly what I'm 
enabling.

- -- 
To smash a single atom, all mankind was intent.
Now any day the atom may return the compliment.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9iKaq/tNA0+e85ksRAsZ+AJ9f6RbOPBL4X+OAqnin+NaQyfTB4QCfcGab
rx3ooAWcoQB9pvDnNp8+pVo=
=bByA
-----END PGP SIGNATURE-----

Re: [gentoo-dev] new gentoo-sources kernels (r5+)

[Burton Samograd]

[-- Attachment #1: Type: text/plain, Size: 725 bytes --]

On Wed, Sep 18, 2002 at 05:15:26PM +0100, Toby Dickenson wrote:
> 
> Ive seen that before. I also had alot of GrSecurity log messages mixed in with 
> those error message, which gave a good clue about the cause of the problem. 
> Did you not have that?

Nothing that pointed directly to GrSecurity no.  I was just getting
errors about not being able to create symbolic links and not being
able to mount devfs or /mnt/.init.d.  

I did manage to get a kernel to boot now using a lower GrSecurity
level, but now it complains that I don't have devfs compiled into the
kernel (which i know i do, as well as tmpfs and everything else that's
required).  Maybe one should just leave GrSecurity off completely?

burton

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] new gentoo-sources kernels (r5+)

[Christopher J. PeBenito]

I've been running grsec for the better part of a year.  I've used just a
vanilla kernel+grsec patch, and the gentoo-sources kernel (r2 and r7). 
I've never had problems.  I _always_ use custom, so I know exactly what
is on (like a previous poster suggested).  I've never ran into any
problems.  I would suggest doublechecking your configuration.  Also, you
may want to do a 'make mrproper' to make sure everything is playing
nice... that kills the config tho.  Or you may want to turn off grsec to
make sure your kernel config is ok, and then try turning it back on.

In general, I vote that grsec stay in the gentoo-sources kernel (if it
actually came to a vote :) ).

Chris


On Wed, 2002-09-18 at 18:48, Burton Samograd wrote:
> On Wed, Sep 18, 2002 at 05:15:26PM +0100, Toby Dickenson wrote:
> > 
> > Ive seen that before. I also had alot of GrSecurity log messages mixed in with 
> > those error message, which gave a good clue about the cause of the problem. 
> > Did you not have that?
> 
> Nothing that pointed directly to GrSecurity no.  I was just getting
> errors about not being able to create symbolic links and not being
> able to mount devfs or /mnt/.init.d.  
> 
> I did manage to get a kernel to boot now using a lower GrSecurity
> level, but now it complains that I don't have devfs compiled into the
> kernel (which i know i do, as well as tmpfs and everything else that's
> required).  Maybe one should just leave GrSecurity off completely?
> 
> burton
-- 
Chris PeBenito
<pebenito@ieee.org>
AIM: PeBenito78
ICQ#: 10434387

"Engineering does not require science. Science helps
a lot, but people built perfectly good brick walls 
long before they knew why cement works."-Alan Cox

Re: [gentoo-dev] new gentoo-sources kernels (r5+)

[Evan Read]

On Wed, Sep 18, 2002 at 04:48:24PM -0700, Burton Samograd wrote:
> On Wed, Sep 18, 2002 at 05:15:26PM +0100, Toby Dickenson wrote:
> > 
> > Ive seen that before. I also had alot of GrSecurity log messages mixed in with 
> > those error message, which gave a good clue about the cause of the problem. 
> > Did you not have that?
> 
> Nothing that pointed directly to GrSecurity no.  I was just getting
> errors about not being able to create symbolic links and not being
> able to mount devfs or /mnt/.init.d.  
> 
> I did manage to get a kernel to boot now using a lower GrSecurity
> level, but now it complains that I don't have devfs compiled into the
> kernel (which i know i do, as well as tmpfs and everything else that's
> required).  Maybe one should just leave GrSecurity off completely?
> 
> burton

Under 1.2 I have enabled all specified in the Gentoo Security Guide.

Works great.

-- 
Evan Read
http://eread.freeshell.org

"The future comes 60 minutes an hour no matter who you are or what you 
do." 
	The Screwtape Letters - C.S. Lewis

Re: [gentoo-dev] new gentoo-sources kernels (r5+)

[Christian Axelsson]

I have these in r7 working perfect:

CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_STACK=y
CONFIG_GRKERNSEC_STACK_GCC=y
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=150
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FD=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_SIG=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_PTRACE=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_KBMAP=y
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_SUID_ROOT=y
CONFIG_GRKERNSCONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_GROUP=y
CONFIG_GRKERNSEC_PTRACE_GID=150
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_RANDPING=y
CONFIG_GRKERNSEC_RANDTTL=y
CONFIG_GRKERNSEC_FLOODTIME=30
CONFIG_GRKERNSEC_COREDUMP=y

--
Christian Axelsson
smiler@lanil.mine.nu