FS#46763 - [linux-grsec] prevents login via gdm

Attached to Project: Community Packages
Opened by ITwrx (andriesinfoserv) - Saturday, 17 October 2015, 13:19 GMT
Last edited by Daniel Micay (thestinger) - Saturday, 17 October 2015, 22:09 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Daniel Micay (thestinger)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: linux-grsec prevents login via gdm.

Additional info:

linux-grsec 4.2.3.201510161817-1
gdm 3.18.0-1

log line: grsec: denied kernel module auto-load of fuse by UID 120.

(uid 120 is gdm)

note: this issue has existed for the last (aprox.) 3 releases of linux-grsec. Or maybe since gdm was last updated?

Steps to reproduce:
boot arch with gnome and linux-grsec and login won't work.

Thanks in advance
This task depends upon

Closed by  Daniel Micay (thestinger)
Saturday, 17 October 2015, 22:09 GMT
Reason for closing:  Not a bug
Comment by Daniel Micay (thestinger) - Saturday, 17 October 2015, 18:37 GMT
Does it work if you add fuse to /etc/modules-load.d/sensors.conf? Preventing unprivileged users from triggering module auto-loading is part of MODHARDEN so this is expected. It prevents unprivileged users from greatly expanding the kernel's attack surface by loading huge amounts of functionality.
Comment by Daniel Micay (thestinger) - Saturday, 17 October 2015, 18:47 GMT
I would guess that the change is either gdm starting to run as an unprivileged user or gdm starting to depend upon fuse.
Comment by ITwrx (andriesinfoserv) - Saturday, 17 October 2015, 20:12 GMT
"Does it work if you add fuse to /etc/modules-load.d/sensors.conf?"
it sure does, thanks!

"It prevents unprivileged users from greatly expanding the kernel's attack surface by loading huge amounts of functionality."
i figured that's what was going on but i wasn't sure what to do about it. Is this documented somewhere that i could read up on this specific scenario and/or would you mind pointing me to the location of the index.html for the linux-grsec-docs package

Thanks again.
Comment by Daniel Micay (thestinger) - Saturday, 17 October 2015, 20:32 GMT
I don't think there's actually any grsecurity documentation in linux-grsec-docs, it's just the Linux kernel documentation that's provided for any kernel package.

You can see the MODHARDEN documentation here:

https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Harden_module_auto-loading

This wiki page is generated from the configuration option documentation that's shown when configuring a kernel.

Loading...