Bug 56628 - polkit 0.107 Brakes PaX support
Summary: polkit 0.107 Brakes PaX support
Status: RESOLVED NOTOURBUG
Alias: None
Product: PolicyKit
Classification: Unclassified
Component: daemon (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: David Zeuthen (not reading bugmail)
QA Contact: David Zeuthen (not reading bugmail)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-01 04:24 UTC by dwyer
Modified: 2013-01-09 19:56 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description dwyer 2012-11-01 04:24:53 UTC
Arch Linux x86_64
Kernel: 3.6.4-2-grsec

No problems when booting with normal -ARCH kernel
No problems with full PaX settings on polkit-0.105

Setting paxctl -cPEmRXS /usr/lib/polkit-1/polkitd
Dose NOT solve the problem, Only fixes the RWX line

I really, really do not want to lessen security of polkit.

Errors like this...
[code]
grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/polkit-1/polkitd[polkitd:1588] uid/euid:102/102 gid/egid:102/102, parent /usr/lib/systemd/systemd[systemd:1]
grsec: Segmentation fault occurred at 0000000000000010 in /usr/lib/polkit-1/polkitd[polkitd:1588]
grsec: bruteforce prevention initiated against uid 102, banning for 15 minutes
systemd[1]: Failed to start Authorization Manager.

dbus-daemon[406]: dbus[406]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
dbus[406]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
dbus-daemon[406]: dbus[406]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
dbus[406]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
[/code]
Comment 1 dwyer 2012-11-01 05:22:12 UTC
Awe, you know paxctl -cPEmRXS /usr/lib/polkit-1/polkitd dose seem to fix the polkit problems. Then the rest of my problems are caused by systemd and D-Bus.

However I stand by my clame that needing to disable MPROTECT on polkitd is a Bug.
Comment 2 dwyer 2012-11-03 00:31:35 UTC
Correction both MPROTECT & RANDMMAP off for polkitd

This is a problem. Policy Kit needs to have high security.
Comment 3 David Zeuthen (not reading bugmail) 2013-01-09 19:56:59 UTC
There is no support for pax in upstream polkit. Seems like an Arch problem to me, suggest to file it there.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.