# Hardened Gentoo Won't Start [SOLVED]

## vladgrigorescu

I am having problems starting hardened gentoo.  This is what is displayed on the screen before it hangs:

```

grsec: exec of /sbin/hotplug (/sbin/hotplug vc ) by /[khelper:11850] uid/euid:0/0 gid/egid:0/0, parent/[khelper:4] uid/euid:0/0 gid/egid:0/0

audit(1123371739.903:0): avc: denied {read} for pid=11850 comm=khelper name=sh dev=hda1 ino=5245195 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=lnk_file

grsec: exec of /sbin/hotplug (/sbin/hotplug vc ) by /[khelper:13663] uid/euid:0/0 gid/egid:0/0, parent/[khelper:4] uid/euid:0/0 gid/egid:0/0

audit(1123371739.904:0): avc: denied {read} for pid=13663 comm=khelper name=sh dev=hda1 ino=5245195 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=lnk_file

...

```

and so on, it adds a couple more lines of the same thing every 5-10 mins or so.  Currently, I have setup my kernel, as described in the documentation, and am trying to reboot to install packages, etc.  I have already tried removing hotplug from default (with rc-update), but that didn't help.  Also, my grub command line is:

```

kernel=/kernel-2.6.11-hardened-r15 root=/dev/hda1 selinux=1 enforcing=1 gentoo=nodevfs

```

The relevant part (or at least, what I think is relevant) of my kernel .config file is:

```

#

# Security options

#

#

# Grsecurity

#

CONFIG_GRKERNSEC=y

# CONFIG_GRKERNSEC_LOW is not set

# CONFIG_GRKERNSEC_MEDIUM is not set

CONFIG_GRKERNSEC_HIGH=y

# CONFIG_GRKERNSEC_CUSTOM is not set

#

# Address Space Protection

#

CONFIG_GRKERNSEC_KMEM=y

CONFIG_GRKERNSEC_IO=y

CONFIG_GRKERNSEC_PROC_MEMMAP=y

CONFIG_GRKERNSEC_BIGMEM=y

CONFIG_GRKERNSEC_BRUTE=y

CONFIG_GRKERNSEC_HIDESYM=y

#

# Role Based Access Control Options

#

CONFIG_GRKERNSEC_ACL_HIDEKERN=y

CONFIG_GRKERNSEC_ACL_MAXTRIES=3

CONFIG_GRKERNSEC_ACL_TIMEOUT=60

#

# Filesystem Protections

#

CONFIG_GRKERNSEC_PROC=y

# CONFIG_GRKERNSEC_PROC_USER is not set

CONFIG_GRKERNSEC_PROC_USERGROUP=y

CONFIG_GRKERNSEC_PROC_GID=1001

CONFIG_GRKERNSEC_PROC_ADD=y

CONFIG_GRKERNSEC_LINK=y

CONFIG_GRKERNSEC_FIFO=y

CONFIG_GRKERNSEC_CHROOT=y

CONFIG_GRKERNSEC_CHROOT_MOUNT=y

CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

CONFIG_GRKERNSEC_CHROOT_PIVOT=y

CONFIG_GRKERNSEC_CHROOT_CHDIR=y

CONFIG_GRKERNSEC_CHROOT_CHMOD=y

CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

CONFIG_GRKERNSEC_CHROOT_MKNOD=y

CONFIG_GRKERNSEC_CHROOT_SHMAT=y

CONFIG_GRKERNSEC_CHROOT_UNIX=y

CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

CONFIG_GRKERNSEC_CHROOT_NICE=y

CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

CONFIG_GRKERNSEC_CHROOT_CAPS=y

#

# Kernel Auditing

#

# CONFIG_GRKERNSEC_AUDIT_GROUP is not set

CONFIG_GRKERNSEC_EXECLOG=y

CONFIG_GRKERNSEC_RESLOG=y

CONFIG_GRKERNSEC_CHROOT_EXECLOG=y

# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set

CONFIG_GRKERNSEC_AUDIT_MOUNT=y

CONFIG_GRKERNSEC_AUDIT_IPC=y

CONFIG_GRKERNSEC_SIGNAL=y

CONFIG_GRKERNSEC_FORKFAIL=y

CONFIG_GRKERNSEC_TIME=y

CONFIG_GRKERNSEC_PROC_IPADDR=y

# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#

# Executable Protections

#

CONFIG_GRKERNSEC_EXECVE=y

CONFIG_GRKERNSEC_SHM=y

CONFIG_GRKERNSEC_DMESG=y

CONFIG_GRKERNSEC_RANDPID=y

# CONFIG_GRKERNSEC_TPE is not set

#

# Network Protections

#

CONFIG_GRKERNSEC_RANDNET=y

CONFIG_GRKERNSEC_RANDSRC=y

# CONFIG_GRKERNSEC_SOCKET is not set

#

# Sysctl support

#

# CONFIG_GRKERNSEC_SYSCTL is not set

#

# Logging Options

#

CONFIG_GRKERNSEC_FLOODTIME=10

CONFIG_GRKERNSEC_FLOODBURST=4

#

# PaX

#

CONFIG_PAX=y

#

# PaX Control

#

# CONFIG_PAX_SOFTMODE is not set

CONFIG_PAX_EI_PAX=y

CONFIG_PAX_PT_PAX_FLAGS=y

# CONFIG_PAX_NO_ACL_FLAGS is not set

CONFIG_PAX_HAVE_ACL_FLAGS=y

# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#

# Non-executable pages

#

CONFIG_PAX_NOEXEC=y

# CONFIG_PAX_PAGEEXEC is not set

CONFIG_PAX_SEGMEXEC=y

# CONFIG_PAX_EMUTRAMP is not set

CONFIG_PAX_MPROTECT=y

CONFIG_PAX_NOELFRELOCS=y

#

# Address Space Layout Randomization

#

CONFIG_PAX_ASLR=y

CONFIG_PAX_RANDKSTACK=y

CONFIG_PAX_RANDUSTACK=y

CONFIG_PAX_RANDMMAP=y

CONFIG_PAX_NOVSYSCALL=y

CONFIG_KEYS=y

# CONFIG_KEYS_DEBUG_PROC_KEYS is not set

CONFIG_SECURITY=y

CONFIG_SECURITY_NETWORK=y

CONFIG_SECURITY_CAPABILITIES=y

# CONFIG_SECURITY_ROOTPLUG is not set

# CONFIG_SECURITY_SECLVL is not set

CONFIG_SECURITY_SELINUX=y

CONFIG_SECURITY_SELINUX_BOOTPARAM=y

CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1

# CONFIG_SECURITY_SELINUX_DISABLE is not set

CONFIG_SECURITY_SELINUX_DEVELOP=y

CONFIG_SECURITY_SELINUX_AVC_STATS=y

# CONFIG_SECURITY_SELINUX_MLS is not set

```

The rest of the kernel is setup the way it is described in the documentation.  Please let me know what I am doing wrong, and how I can fix this.  Also, I really don't know what information would be helpful here, so let me know if you need anything else.Last edited by vladgrigorescu on Mon Sep 05, 2005 5:21 am; edited 1 time in total

----------

## vladgrigorescu

I seem to have had my kernel configured way too strictly.  Make sure you read the help for the different options, as I was denying various operations which my computer needed to do to boot.

----------

## ikke

Could you say which kernel options that were, as I'm also having problems mounting selinux in enforcing mode (denied to read /dev/null and others, IIRC)

----------

## vladgrigorescu

Unfortunately, I ended up disabling SElinux.  I don't have a monitor attached to the server, so I can't see the errors (all I know is that it wouldn't boot), so debugging is really hard.  I hope to get one soon, so I might be able to experiment some more with what options work, and what don't.  Sorry!

----------

## humbletech99

me too, selinux was too much hassle, just harden the rest. Besides, selinux won't stop you box getting hacked, just limits what happens afterwards.

----------

## Turbo

 *Quote:*   

> 
> 
> me too, selinux was too much hassle, just harden the rest. Besides, selinux won't stop you box getting hacked, just limits what happens afterwards
> 
> 

 

Lol...JUST limits what happens afterwards ?!

When configured right they can do NOTHING unless you want them to !

You can even get rid of your firewall and let them come in just for the fun of it !

Tsss...JUST limits what happens afterwards...

----------

## humbletech99

I was under the impression that you could still get a compromised service that would allow somebody onto the machine but it would limit what they could do one they are on the machine, however for a production server if it were to be compromised then we'd probably have no choice but to scrap it and start again anyway... I would never be able to trust it again until it was wiped clean and restarted fresh.

----------

## Turbo

With SELinux you can (and should) run every application in its own domain, and you can specify which files can be accessed by that domain, and even how exactly they can be accessed ( getattr, read, write, append, execute, etc... ).

So if a service is compromised it gives the attacker all priviliges of the domain the service was running in, and if it is configured correctly that means he/she can do absolutely nothing, except the things this service can do (which is usually nothing more than communicate, read some configuration files and libraries and write (but not execute) files in /var/log).

So there really should be no reason whatsoever for reinstalling the entire system just because a service got compromised.

A properly configured SELinux system is absolutely untouchable, it simply can't get any more secure (Well, actually i'm wrong, MLS (multi layer security) is  as far as i know not yet being used in SELinux, and i've not looked into it either, but at first sight it seems another fine addition, but probably somewhat overkill).

----------

## linuxale

Hi Guys this thread is "solved" without any solutions!?!

Somebody can help!

Thanks

Alex

----------

