# grsec issue with truecrypt

## haxle

Ok so... I've got an issue here.. 

When I'm trying to mount an encrypted external drive i get this error: 

```
No such file or directory: /tmp/.truecrypt_aux_mnt1/control
```

and.. 

```

dmesg | tail

[ 1605.188547] grsec: mount of truecrypt to /tmp/.truecrypt_aux_mnt1 by /usr/bin/truecrypt[truecrypt:2454] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/truecrypt[truecrypt:2451] uid/euid:0/0 gid/egid:0/0

[ 1605.195804] grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/truecrypt[truecrypt:2457] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

[ 1605.199378] grsec: unmount of truecrypt by /bin/umount[umount:2458] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/truecrypt[truecrypt:2457] uid/euid:0/0 gid/egid:0/0

```

so.. it's grsec issue.. how do i fix it?   :Confused:  ... other than disabling grsec...

----------

## causality

What are the PaX flags on the truecrypt executable?

I use Hardened but I don't actually have truecrypt installed.  The output of "whereis truecrypt" will tell you where the program is located.  For purposes of this response, I will assume it is /usr/bin/truecrypt but please adjust as needed if I have that wrong.

If you run "paxctl -v /usr/bin/truecrypt" you probably will not see anything about MPROTECT being disabled.  If that is the case, you have found the problem.  Lots of programs like mplayer and others that perform certain tasks in memory will get killed off by PaX/Grsec.

You can remove the MPROTECT restriction from truecrypt by running "paxctl -m /usr/bin/truecrypt".  That should make it stop crashing.

----------

## haxle

running paxctl -v /usr/bin/truecrypt produced:

```

file /usr/bin/truecrypt does not have a PT_PAX_FLAGS program header, try conversion

```

I haven't tried conversion because i figured that would just cause more problems ... I completely disabled grsec as well and i don't get the errors in dmesg | tail anymore but there isn't anything about the issue at all now and I'm still having the same issue : ?

----------

## mr.sande

It doesn't hurt to try to add the pax header to truecrypt and disable the mprotect, if it borks truecrypt you can just reinstall it  :Smile: 

You can also enable softmode for pax so that only executables with pax headers are enforced. Softmode has to be explicitly enabled with sysctl.

----------

