Hi there.



I got the problem that stopping named hangs.

Im using hardened-sources with grsec and pax enabled.

grsec is enabled with server profile. kernel.grsecurity.chroot_caps is
disabled to get dhcp running.

SELinux and RBAC are disabled.

The logfiles dont give any hint.

Any idea would be helpful.



Thanks in advance and many regards,

Markus

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Hallo, Markus! Wie geht's dir?

The first place I'd look is in the syslog, while attempting to stop the
service... also, the output of `dmesg` might show something that you
missed... I'm not sure which system logger you use, but with the
"hardened" USE flag enabled, syslog-ng's default config will split the
logs into multiple files for various facilities (auth.log, kern.log,
mail.log, etc).


Which dhcp client are you using? I've never run it in a chroot and would
like to try and duplicate your issue. I just installed "net-misc/dhcpcd"
on my grsec box, but do not see a way to run it chrooted. Can you share
your configuration/installation steps?


Tschuess!


brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002



On Wed, 8 Oct 2008, Markus Bartl wrote:


Date: Wed, 08 Oct 2008 14:45:54 +0200
From: Markus Bartl <hardened@noack-ingenieure.de>
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Subject: [gentoo-hardened] /etc/init.d/named stop hangs

Hi there.

I got the problem that stopping named hangs.
Im using hardened-sources with grsec and pax enabled.
grsec is enabled with server profile. kernel.grsecurity.chroot_caps is disabled to get dhcp running.
SELinux and RBAC are disabled.
The logfiles dont give any hint.
Any idea would be helpful.

Thanks in advance and many regards,
Markus




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkjs1g8ACgkQdCBnhE3rYALH1gCdFXE34cjqji ylbRn+CIp+PDMd
GucAoKZTw3t/p5Q2nGlWSw+VpERxfp/O
=gJqb
-----END PGP SIGNATURE-----

On 8 Oct 2008 at 14:45, Markus Bartl wrote:

> Hi there.
>
> I got the problem that stopping named hangs.
> Im using hardened-sources with grsec and pax enabled.
> grsec is enabled with server profile. kernel.grsecurity.chroot_caps is disabled
> to get dhcp running.
> SELinux and RBAC are disabled.
> The logfiles dont give any hint.
> Any idea would be helpful.

you could strace the whole process of shutting down named and see which process
hangs in which syscall (strace -f -ff -o ...), then we can think further.

> you could strace the whole process of shutting down named and see which process
> hangs in which syscall (strace -f -ff -o ...), then we can think further.

Markus noted on IRC that he had fixed this issue - his iptables didn't
have an allowance for 'lo', and the BIND init script has an RNDC call
that opens a local TCP socket.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Well, that would explain the lack of logs...


brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002



On Wed, 8 Oct 2008, RB wrote:


Date: Wed, 8 Oct 2008 09:59:34 -0600
From: RB <aoz.syn@gmail.com>
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] /etc/init.d/named stop hangs


you could strace the whole process of shutting down named and see which process
hangs in which syscall (strace -f -ff -o ...), then we can think further.


Markus noted on IRC that he had fixed this issue - his iptables didn't
have an allowance for 'lo', and the BIND init script has an RNDC call
that opens a local TCP socket.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkjs2a4ACgkQdCBnhE3rYAKnXACfTP8nHMGRRI rHNfwXHKMgoiWQ
fdcAniGgNhOCixNijmyhlUHEd3PxUw4O
=KntB
-----END PGP SIGNATURE-----

brant williams schrieb:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Hallo, Markus! Wie geht's dir?

The first place I'd look is in the syslog, while attempting to stop the
service... also, the output of `dmesg` might show something that you
missed... I'm not sure which system logger you use, but with the
"hardened" USE flag enabled, syslog-ng's default config will split the
logs into multiple files for various facilities (auth.log, kern.log,
mail.log, etc).


Which dhcp client are you using? I've never run it in a chroot and
would like to try and duplicate your issue. I just installed
"net-misc/dhcpcd" on my grsec box, but do not see a way to run it
chrooted. Can you share your configuration/installation steps?


Tschuess!


brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002



On Wed, 8 Oct 2008, Markus Bartl wrote:


Date: Wed, 08 Oct 2008 14:45:54 +0200
From: Markus Bartl <hardened@noack-ingenieure.de>
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Subject: [gentoo-hardened] /etc/init.d/named stop hangs

Hi there.

I got the problem that stopping named hangs.
Im using hardened-sources with grsec and pax enabled.
grsec is enabled with server profile. kernel.grsecurity.chroot_caps is
disabled to get dhcp running.

SELinux and RBAC are disabled.
The logfiles dont give any hint.
Any idea would be helpful.

Thanks in advance and many regards,
Markus




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEAREIAAYFAkjs1g8ACgkQdCBnhE3rYALH1gCdFXE34cjqji ylbRn+CIp+PDMd
GucAoKZTw3t/p5Q2nGlWSw+VpERxfp/O
=gJqb
-----END PGP SIGNATURE-----



Hi Brant.
As mentioned in another mail, I fixed the problem.
rndc tried to open tcp port 965.
Had to accept packages from "bad-guy" localhost in iptables.

To my dhcp installation: You are running dhcpcd which is a dhcp-client.
I dont know if you can run in chrooted (never looked).

Ive installed net-misc/dhcp (dhcp server). You can define a
chroot-directory in /etc/conf.d/dhcpd (DHCPD_CHROOT) and then run emerge
--config dhcp.


Servus.
Markus