Bug 56628 - polkit 0.107 Brakes PaX support
polkit 0.107 Brakes PaX support
Status: RESOLVED NOTOURBUG
Product: PolicyKit
Classification: Unclassified
Component: daemon
unspecified
x86-64 (AMD64) Linux (All)
: medium normal
Assigned To: David Zeuthen (not reading bugmail)
David Zeuthen (not reading bugmail)
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-01 04:24 UTC by dwyer
Modified: 2013-01-09 19:56 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description dwyer 2012-11-01 04:24:53 UTC
Arch Linux x86_64
Kernel: 3.6.4-2-grsec

No problems when booting with normal -ARCH kernel
No problems with full PaX settings on polkit-0.105

Setting paxctl -cPEmRXS /usr/lib/polkit-1/polkitd
Dose NOT solve the problem, Only fixes the RWX line

I really, really do not want to lessen security of polkit.

Errors like this...
[code]
grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/polkit-1/polkitd[polkitd:1588] uid/euid:102/102 gid/egid:102/102, parent /usr/lib/systemd/systemd[systemd:1]
grsec: Segmentation fault occurred at 0000000000000010 in /usr/lib/polkit-1/polkitd[polkitd:1588]
grsec: bruteforce prevention initiated against uid 102, banning for 15 minutes
systemd[1]: Failed to start Authorization Manager.

dbus-daemon[406]: dbus[406]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
dbus[406]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
dbus-daemon[406]: dbus[406]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
dbus[406]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
[/code]
Comment 1 dwyer 2012-11-01 05:22:12 UTC
Awe, you know paxctl -cPEmRXS /usr/lib/polkit-1/polkitd dose seem to fix the polkit problems. Then the rest of my problems are caused by systemd and D-Bus.

However I stand by my clame that needing to disable MPROTECT on polkitd is a Bug.
Comment 2 dwyer 2012-11-03 00:31:35 UTC
Correction both MPROTECT & RANDMMAP off for polkitd

This is a problem. Policy Kit needs to have high security.
Comment 3 David Zeuthen (not reading bugmail) 2013-01-09 19:56:59 UTC
There is no support for pax in upstream polkit. Seems like an Arch problem to me, suggest to file it there.