From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PWuvZ-0000Ag-Pz for garchives@archives.gentoo.org; Sun, 26 Dec 2010 18:02:43 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1773AE0692 for ; Sun, 26 Dec 2010 18:02:39 +0000 (UTC) Received: from mail2.viabit.com (mail2.viabit.com [65.246.80.16]) by pigeon.gentoo.org (Postfix) with ESMTP id 5DB3AE06D0 for ; Sun, 26 Dec 2010 17:06:08 +0000 (UTC) Received: from [172.17.29.6] (unknown [65.213.236.242]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail2.viabit.com (Postfix) with ESMTPSA id EB3EE37ADA for ; Sun, 26 Dec 2010 12:06:07 -0500 (EST) Message-ID: <4D1775F8.5010704@orlitzky.com> Date: Sun, 26 Dec 2010 12:06:00 -0500 From: Michael Orlitzky User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101221 Lightning/1.0b3pre Thunderbird/3.1.7 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Disappearing root on 2.6.36-hardened-r6 upgrade References: <4D16E7BA.3030508@orlitzky.com> <4D170EDE.15195.3043ADB6@pageexec.freemail.hu> In-Reply-To: <4D170EDE.15195.3043ADB6@pageexec.freemail.hu> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: ed032566-b451-4901-b84b-ec3f83de5fd1 X-Archives-Hash: 5ffa8866420e94c688920acdd9c075c4 On 12/26/2010 03:46 AM, pageexec@freemail.hu wrote: > On 26 Dec 2010 at 1:59, Michael Orlitzky wrote: > >> I've got (at least) two servers that lose their root partition after >> this upgrade. One of them has an HP cciss SCSI RAID controller; the >> other has a single IDE hard drive. Assuming the problem is something >> common, I'll stick to describing the one with the array for now. > > which grsec is this ebuild based on? my guess is that it's a recent PaX/UDEREF > hardening that's causing this and should be mostly fixed now except for the > IP checksum code fix which i'll release soon. in the meantime you can disable > UDEREF. if you don't have it enabled then i don't know what it is, we'll need > more debugging, let me know. The hardened-patches contains the following: 4423_grsec-remove-protected-paths.patch 4420_grsecurity-2.2.1-2.6.36.2-201012121726.patch 4435_grsec-kconfig-gentoo.patch 4421_grsec-remove-localversion-grsec.patch 4425_grsec-pax-without-grsec.patch 4430_grsec-kconfig-default-gids.patch 4422_grsec-mute-warnings.patch I do have UDEREF enabled: # grep UDEREF .config CONFIG_PAX_MEMORY_UDEREF=y I can try disabling it when I'd be willing to drive to work and reboot the thing.