# Can't activate GRSecurity

## Czernay

I tried to activate GRSecurity like described in the documentation like this:

```
gradm -P admin

gradm -E

```

but got this response:

 *Quote:*   

> Your password file is not set up correctly.
> 
> Run gradm -P to set a password.
> 
> 

 

I wonder what is wrong?

----------

## hegga

is your machine booted with a kernel that has compiled in GRsecurity support?

----------

## Czernay

 *hegga wrote:*   

> is your machine booted with a kernel that has compiled in GRsecurity support?

 

Yes. I followed the Gentoo Grsecurity2 Guide (http://www.gentoo.org/proj/en/hardened/grsecurity2.xml).

My kernel is compiled with the following options:

```

#

# Grsecurity

#

CONFIG_GRKERNSEC=y

# CONFIG_GRKERNSEC_LOW is not set

# CONFIG_GRKERNSEC_MEDIUM is not set

# CONFIG_GRKERNSEC_HIGH is not set

CONFIG_GRKERNSEC_CUSTOM=y

#

# Address Space Protection

#

# CONFIG_GRKERNSEC_KMEM is not set

# CONFIG_GRKERNSEC_IO is not set

CONFIG_GRKERNSEC_PROC_MEMMAP=y

CONFIG_GRKERNSEC_BRUTE=y

CONFIG_GRKERNSEC_HIDESYM=y

#

# Role Based Access Control Options

#

CONFIG_GRKERNSEC_ACL_HIDEKERN=y

CONFIG_GRKERNSEC_ACL_MAXTRIES=3

CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#

# Filesystem Protections

#

CONFIG_GRKERNSEC_PROC=y

# CONFIG_GRKERNSEC_PROC_USER is not set

CONFIG_GRKERNSEC_PROC_USERGROUP=y

CONFIG_GRKERNSEC_PROC_GID=10

CONFIG_GRKERNSEC_PROC_ADD=y

CONFIG_GRKERNSEC_LINK=y

CONFIG_GRKERNSEC_FIFO=y

CONFIG_GRKERNSEC_CHROOT=y

CONFIG_GRKERNSEC_CHROOT_MOUNT=y

CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

CONFIG_GRKERNSEC_CHROOT_PIVOT=y

CONFIG_GRKERNSEC_CHROOT_CHDIR=y

CONFIG_GRKERNSEC_CHROOT_CHMOD=y

CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

CONFIG_GRKERNSEC_CHROOT_MKNOD=y

CONFIG_GRKERNSEC_CHROOT_SHMAT=y

CONFIG_GRKERNSEC_CHROOT_UNIX=y

CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

CONFIG_GRKERNSEC_CHROOT_NICE=y

CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

CONFIG_GRKERNSEC_CHROOT_CAPS=y

#

# Kernel Auditing

#

# CONFIG_GRKERNSEC_AUDIT_GROUP is not set

CONFIG_GRKERNSEC_EXECLOG=y

CONFIG_GRKERNSEC_RESLOG=y

CONFIG_GRKERNSEC_CHROOT_EXECLOG=y

CONFIG_GRKERNSEC_AUDIT_CHDIR=y

CONFIG_GRKERNSEC_AUDIT_MOUNT=y

CONFIG_GRKERNSEC_AUDIT_IPC=y

CONFIG_GRKERNSEC_SIGNAL=y

CONFIG_GRKERNSEC_FORKFAIL=y

CONFIG_GRKERNSEC_TIME=y

CONFIG_GRKERNSEC_PROC_IPADDR=y

# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#

# Executable Protections

#

CONFIG_GRKERNSEC_EXECVE=y

CONFIG_GRKERNSEC_SHM=y

CONFIG_GRKERNSEC_DMESG=y

CONFIG_GRKERNSEC_RANDPID=y

CONFIG_GRKERNSEC_TPE=y

CONFIG_GRKERNSEC_TPE_ALL=y

CONFIG_GRKERNSEC_TPE_GID=1010

#

# Network Protections

#

CONFIG_GRKERNSEC_RANDNET=y

CONFIG_GRKERNSEC_RANDSRC=y

# CONFIG_GRKERNSEC_SOCKET is not set

#

# Sysctl support

#

CONFIG_GRKERNSEC_SYSCTL=y

# CONFIG_GRKERNSEC_SYSCTL_ON is not set

#

# Logging Options

#

CONFIG_GRKERNSEC_FLOODTIME=10

CONFIG_GRKERNSEC_FLOODBURST=4

#

# PaX

#

CONFIG_PAX=y

#

# PaX Control

#

# CONFIG_PAX_SOFTMODE is not set

# CONFIG_PAX_EI_PAX is not set

CONFIG_PAX_PT_PAX_FLAGS=y

CONFIG_PAX_NO_ACL_FLAGS=y

# CONFIG_PAX_HAVE_ACL_FLAGS is not set

# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#

# Non-executable pages

#

CONFIG_PAX_NOEXEC=y

# CONFIG_PAX_PAGEEXEC is not set

CONFIG_PAX_SEGMEXEC=y

CONFIG_PAX_EMUTRAMP=y

CONFIG_PAX_MPROTECT=y

# CONFIG_PAX_NOELFRELOCS is not set

#

# Address Space Layout Randomization

#

CONFIG_PAX_ASLR=y

CONFIG_PAX_RANDKSTACK=y

CONFIG_PAX_RANDUSTACK=y

CONFIG_PAX_RANDMMAP=y

# CONFIG_PAX_NOVSYSCALL is not set

# CONFIG_KEYS is not set

# CONFIG_SECURITY is not set

```

----------

## Czernay

Bump!

----------

## Jorbless

I just figured this out.  You need to create a "grsecurity RBAC password" (presumably as root) before you are allowed to fire-up the access control mechanism:

```
# gradm -P

Setting up grsecurity RBAC password

Password:

Re-enter Password:

Password written to /etc/grsec/pw.

# gradm -E
```

Only then may you be authenticated in the "admin" role:

```
# gradm -a admin
```

This really should be in the "Grsecurity v2 Guide."

Edit: I suppose I should go ahead and e-mail this omission to Gentoo.

----------

## Czernay

Thanks a lot, that did it!

I really wasn't aware that setting a password without giving a username sets up a different password than 'admin'.

----------

