configure grsecurity post-compile
Posted: Fri Apr 21, 2017 9:57 am
I have a vps which apparently has grsecurity compiled on it, but it doesn't look like it was ever configured:
I tried setting some of them, eg. "sysctl -w kernel.grsecurity.chroot_deny_fchdir=1", but when I rebooted they reverted back to the original settings. Is there a way for me to configure these persistently?
The reason I am trying to do so is because I am having issues with cpanel-dovecot-solr, and the cpanel team is telling me that they believe that it is due to grsecurity being installed but not configured. Is there a way to unpatch my kernel? Is grsecurity even doing anything if all of the settings are 0? Is there a known issue with grsecurity and cpanel-dovecot-solr, and do you guys know of any workarounds if so?
Thanks.
-Michael
- Code: Select all
[~]# sysctl -a | grep grs
kernel.grsecurity.audit_ptrace = 0
kernel.grsecurity.chroot_deny_chmod = 0
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_fchdir = 0
kernel.grsecurity.chroot_deny_mknod = 0
kernel.grsecurity.chroot_deny_mount = 0
kernel.grsecurity.chroot_deny_pivot = 0
kernel.grsecurity.chroot_deny_shmat = 0
kernel.grsecurity.chroot_deny_sysctl = 0
kernel.grsecurity.chroot_deny_unix = 0
kernel.grsecurity.chroot_enforce_chdir = 0
kernel.grsecurity.dmesg = 0
kernel.grsecurity.grsec_lock = 0
kernel.grsecurity.harden_ptrace = 0
kernel.grsecurity.signal_logging = 0
kernel.grsecurity.timechange_logging = 0
kernel.osrelease = 3.8.13-xxxx-grs-ipv6-64-vps
I tried setting some of them, eg. "sysctl -w kernel.grsecurity.chroot_deny_fchdir=1", but when I rebooted they reverted back to the original settings. Is there a way for me to configure these persistently?
The reason I am trying to do so is because I am having issues with cpanel-dovecot-solr, and the cpanel team is telling me that they believe that it is due to grsecurity being installed but not configured. Is there a way to unpatch my kernel? Is grsecurity even doing anything if all of the settings are 0? Is there a known issue with grsecurity and cpanel-dovecot-solr, and do you guys know of any workarounds if so?
Thanks.
-Michael