FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 10-08-2008, 12:45 PM
Markus Bartl
 
Default /etc/init.d/named stop hangs

Hi there.



I got the problem that stopping named hangs.

Im using hardened-sources with grsec and pax enabled.

grsec is enabled with server profile. kernel.grsecurity.chroot_caps is
disabled to get dhcp running.

SELinux and RBAC are disabled.

The logfiles dont give any hint.

Any idea would be helpful.



Thanks in advance and many regards,

Markus
 
Old 10-08-2008, 03:47 PM
brant williams
 
Default /etc/init.d/named stop hangs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Hallo, Markus! Wie geht's dir?

The first place I'd look is in the syslog, while attempting to stop the
service... also, the output of `dmesg` might show something that you
missed... I'm not sure which system logger you use, but with the
"hardened" USE flag enabled, syslog-ng's default config will split the
logs into multiple files for various facilities (auth.log, kern.log,
mail.log, etc).


Which dhcp client are you using? I've never run it in a chroot and would
like to try and duplicate your issue. I just installed "net-misc/dhcpcd"
on my grsec box, but do not see a way to run it chrooted. Can you share
your configuration/installation steps?


Tschuess!


brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002



On Wed, 8 Oct 2008, Markus Bartl wrote:


Date: Wed, 08 Oct 2008 14:45:54 +0200
From: Markus Bartl <hardened@noack-ingenieure.de>
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Subject: [gentoo-hardened] /etc/init.d/named stop hangs

Hi there.

I got the problem that stopping named hangs.
Im using hardened-sources with grsec and pax enabled.
grsec is enabled with server profile. kernel.grsecurity.chroot_caps is disabled to get dhcp running.
SELinux and RBAC are disabled.
The logfiles dont give any hint.
Any idea would be helpful.

Thanks in advance and many regards,
Markus




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkjs1g8ACgkQdCBnhE3rYALH1gCdFXE34cjqji ylbRn+CIp+PDMd
GucAoKZTw3t/p5Q2nGlWSw+VpERxfp/O
=gJqb
-----END PGP SIGNATURE-----
 
Old 10-08-2008, 03:51 PM
 
Default /etc/init.d/named stop hangs

On 8 Oct 2008 at 14:45, Markus Bartl wrote:

> Hi there.
>
> I got the problem that stopping named hangs.
> Im using hardened-sources with grsec and pax enabled.
> grsec is enabled with server profile. kernel.grsecurity.chroot_caps is disabled
> to get dhcp running.
> SELinux and RBAC are disabled.
> The logfiles dont give any hint.
> Any idea would be helpful.

you could strace the whole process of shutting down named and see which process
hangs in which syscall (strace -f -ff -o ...), then we can think further.
 
Old 10-08-2008, 03:59 PM
RB
 
Default /etc/init.d/named stop hangs

> you could strace the whole process of shutting down named and see which process
> hangs in which syscall (strace -f -ff -o ...), then we can think further.

Markus noted on IRC that he had fixed this issue - his iptables didn't
have an allowance for 'lo', and the BIND init script has an RNDC call
that opens a local TCP socket.
 
Old 10-08-2008, 04:02 PM
brant williams
 
Default /etc/init.d/named stop hangs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Well, that would explain the lack of logs...


brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002



On Wed, 8 Oct 2008, RB wrote:


Date: Wed, 8 Oct 2008 09:59:34 -0600
From: RB <aoz.syn@gmail.com>
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] /etc/init.d/named stop hangs


you could strace the whole process of shutting down named and see which process
hangs in which syscall (strace -f -ff -o ...), then we can think further.


Markus noted on IRC that he had fixed this issue - his iptables didn't
have an allowance for 'lo', and the BIND init script has an RNDC call
that opens a local TCP socket.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkjs2a4ACgkQdCBnhE3rYAKnXACfTP8nHMGRRI rHNfwXHKMgoiWQ
fdcAniGgNhOCixNijmyhlUHEd3PxUw4O
=KntB
-----END PGP SIGNATURE-----
 
Old 10-09-2008, 06:20 AM
Markus Bartl
 
Default /etc/init.d/named stop hangs

brant williams schrieb:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Hallo, Markus! Wie geht's dir?

The first place I'd look is in the syslog, while attempting to stop the
service... also, the output of `dmesg` might show something that you
missed... I'm not sure which system logger you use, but with the
"hardened" USE flag enabled, syslog-ng's default config will split the
logs into multiple files for various facilities (auth.log, kern.log,
mail.log, etc).


Which dhcp client are you using? I've never run it in a chroot and
would like to try and duplicate your issue. I just installed
"net-misc/dhcpcd" on my grsec box, but do not see a way to run it
chrooted. Can you share your configuration/installation steps?


Tschuess!


brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002



On Wed, 8 Oct 2008, Markus Bartl wrote:


Date: Wed, 08 Oct 2008 14:45:54 +0200
From: Markus Bartl <hardened@noack-ingenieure.de>
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Subject: [gentoo-hardened] /etc/init.d/named stop hangs

Hi there.

I got the problem that stopping named hangs.
Im using hardened-sources with grsec and pax enabled.
grsec is enabled with server profile. kernel.grsecurity.chroot_caps is
disabled to get dhcp running.

SELinux and RBAC are disabled.
The logfiles dont give any hint.
Any idea would be helpful.

Thanks in advance and many regards,
Markus




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkjs1g8ACgkQdCBnhE3rYALH1gCdFXE34cjqji ylbRn+CIp+PDMd
GucAoKZTw3t/p5Q2nGlWSw+VpERxfp/O
=gJqb
-----END PGP SIGNATURE-----



Hi Brant.
As mentioned in another mail, I fixed the problem.
rndc tried to open tcp port 965.
Had to accept packages from "bad-guy" localhost in iptables.

To my dhcp installation: You are running dhcpcd which is a dhcp-client.
I dont know if you can run in chrooted (never looked).

Ive installed net-misc/dhcp (dhcp server). You can define a
chroot-directory in /etc/conf.d/dhcpd (DHCPD_CHROOT) and then run emerge
--config dhcp.


Servus.
Markus
 

Thread Tools




All times are GMT. The time now is 01:41 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org