Bug 56628

Summary: polkit 0.107 Brakes PaX support
Product: PolicyKit Reporter: dwyer
Component: daemonAssignee: David Zeuthen (not reading bugmail) <zeuthen>
Status: RESOLVED NOTOURBUG QA Contact: David Zeuthen (not reading bugmail) <zeuthen>
Severity: normal    
Priority: medium CC: dwyer
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description dwyer 2012-11-01 04:24:53 UTC 
Arch Linux x86_64
Kernel: 3.6.4-2-grsec

No problems when booting with normal -ARCH kernel
No problems with full PaX settings on polkit-0.105

Setting paxctl -cPEmRXS /usr/lib/polkit-1/polkitd
Dose NOT solve the problem, Only fixes the RWX line

I really, really do not want to lessen security of polkit.

Errors like this...
[code]
grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/polkit-1/polkitd[polkitd:1588] uid/euid:102/102 gid/egid:102/102, parent /usr/lib/systemd/systemd[systemd:1]
grsec: Segmentation fault occurred at 0000000000000010 in /usr/lib/polkit-1/polkitd[polkitd:1588]
grsec: bruteforce prevention initiated against uid 102, banning for 15 minutes
systemd[1]: Failed to start Authorization Manager.

dbus-daemon[406]: dbus[406]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
dbus[406]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
dbus-daemon[406]: dbus[406]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
dbus[406]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
[/code]
Comment 1 dwyer 2012-11-01 05:22:12 UTC 
Awe, you know paxctl -cPEmRXS /usr/lib/polkit-1/polkitd dose seem to fix the polkit problems. Then the rest of my problems are caused by systemd and D-Bus.

However I stand by my clame that needing to disable MPROTECT on polkitd is a Bug.
Comment 2 dwyer 2012-11-03 00:31:35 UTC 
Correction both MPROTECT & RANDMMAP off for polkitd

This is a problem. Policy Kit needs to have high security.
Comment 3 David Zeuthen (not reading bugmail) 2013-01-09 19:56:59 UTC 
There is no support for pax in upstream polkit. Seems like an Arch problem to me, suggest to file it there.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.