Forum Debian Users Gang

bryn1u · 2014-06-04 22:48:35

Witam,

Postawilem sobie lxc z grsec, nastepnie stworzylem kontener na ktorego sie zalogowalem, ale po wydaniu apt-get update dostaje w dmesg'u na hoscie komunikat

Kod:

grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/cache/lxc/trusty/partial-amd64/sbin/initctl.REAL[initctl.REAL:24358] uid/euid:0/0 gid/egid:0/0, parent /var/cache/lxc/trusty/partial-amd64/usr/sbin/invoke-rc.d[invoke-rc.d:24356] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/cache/lxc/trusty/partial-amd64/sbin/initctl.REAL[initctl.REAL:24394] uid/euid:0/0 gid/egid:0/0, parent /var/cache/lxc/trusty/partial-amd64/usr/sbin/invoke-rc.d[invoke-rc.d:24392] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/cache/lxc/trusty/partial-amd64/sbin/initctl.REAL[initctl.REAL:24443] uid/euid:0/0 gid/egid:0/0, parent /var/cache/lxc/trusty/partial-amd64/var/lib/dpkg/info/upstart.postinst[upstart.postins:24442] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/cache/lxc/trusty/partial-amd64/sbin/initctl.REAL[initctl.REAL:24457] uid/euid:0/0 gid/egid:0/0, parent /var/cache/lxc/trusty/partial-amd64/usr/sbin/invoke-rc.d[invoke-rc.d:24455] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/cache/lxc/trusty/partial-amd64/sbin/initctl.REAL[initctl.REAL:25681] uid/euid:0/0 gid/egid:0/0, parent /var/cache/lxc/trusty/partial-amd64/usr/sbin/invoke-rc.d[invoke-rc.d:25679] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/cache/lxc/trusty/partial-amd64/sbin/initctl.REAL[initctl.REAL:25811] uid/euid:0/0 gid/egid:0/0, parent /var/cache/lxc/trusty/partial-amd64/usr/sbin/invoke-rc.d[invoke-rc.d:25809] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/cache/lxc/trusty/partial-amd64/sbin/initctl.REAL[initctl.REAL:26686] uid/euid:0/0 gid/egid:0/0, parent /var/cache/lxc/trusty/partial-amd64/var/lib/dpkg/info/openssh-server.postinst[openssh-server.:26642] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/cache/lxc/trusty/partial-amd64/sbin/initctl.REAL[initctl.REAL:26699] uid/euid:0/0 gid/egid:0/0, parent /var/cache/lxc/trusty/partial-amd64/usr/sbin/invoke-rc.d[invoke-rc.d:26697] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/cache/lxc/trusty/partial-amd64/sbin/initctl.REAL[initctl.REAL:26862] uid/euid:0/0 gid/egid:0/0, parent /var/cache/lxc/trusty/partial-amd64/usr/sbin/invoke-rc.d[invoke-rc.d:26860] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/cache/lxc/trusty/partial-amd64/sbin/initctl[initctl:27119] uid/euid:0/0 gid/egid:0/0, parent /var/cache/lxc/trusty/partial-amd64/var/lib/dpkg/info/libselinux1:amd64.postinst[libselinux1:amd:27118] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/cache/lxc/trusty/partial-amd64/sbin/initctl[initctl:27386] uid/euid:0/0 gid/egid:0/0, parent /var/cache/lxc/trusty/partial-amd64/usr/sbin/invoke-rc.d[invoke-rc.d:27384] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/cache/lxc/trusty/partial-amd64/sbin/initctl[initctl:28328] uid/euid:0/0 gid/egid:0/0, parent /var/cache/lxc/trusty/partial-amd64/usr/sbin/invoke-rc.d[invoke-rc.d:28326] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/lib/lxc/shells/rootfs/sbin/initctl[initctl:28511] uid/euid:0/0 gid/egid:0/0, parent /var/lib/lxc/shells/rootfs/var/lib/dpkg/info/openssh-server.postinst[openssh-server.:28473] uid/euid:0/0 gid/egid:0/0
grsec: From 87.206.27.122: denied connect() to abstract AF_UNIX socket outside of chroot by /var/lib/lxc/shells/rootfs/sbin/initctl[initctl:28529] uid/euid:0/0 gid/egid:0/0, parent /var/lib/lxc/shells/rootfs/usr/sbin/invoke-rc.d[invoke-rc.d:28527] uid/euid:0/0 gid/egid:0/0

Nie mam zielonego pojecia, ktora opcja odpowiada za to blokowanie. W sysctl.conf mam dodane wedle wymogow opcje:

kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_deny_chmod = 0
kernel.grsecurity.chroot_deny_pivot = 0
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_mount = 0[/quote]
apt-get update w kontenerze:

Kod:

Err http://archive.ubuntu.com trusty InRelease
  
Err http://archive.ubuntu.com trusty-updates InRelease
  
Err http://security.ubuntu.com trusty-security InRelease
  
Err http://archive.ubuntu.com trusty Release.gpg
  Could not resolve 'archive.ubuntu.com'
Err http://archive.ubuntu.com trusty-updates Release.gpg
  Could not resolve 'archive.ubuntu.com'
Err http://security.ubuntu.com trusty-security Release.gpg
  Could not resolve 'security.ubuntu.com'
Reading package lists... Done
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty/InRelease  

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-updates/InRelease  

W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/trusty-security/InRelease  

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty/Release.gpg  Could not resolve 'archive.ubuntu.com'

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-updates/Release.gpg  Could not resolve 'archive.ubuntu.com'

W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/trusty-security/Release.gpg  Could not resolve 'security.ubuntu.com'

W: Some index files failed to download. They have been ignored, or old ones used instead.

Dodam, ze na czystym kernelu dziala bez problemu. W czym moze byc problem ?

Pozdrawiam,

E-Booki: FreeBSD, OpenBSD, Linux, Hacking, PHP, Catia, Perl_CGI, Mysql ...
[b]http://unix-ebooki.neth.pl/[/b]

Time (s)	Query
0.00009	SET CHARSET latin2
0.00004	SET NAMES latin2
0.00124	SELECT u., g., o.logged FROM punbb_users AS u INNER JOIN punbb_groups AS g ON u.group_id=g.g_id LEFT JOIN punbb_online AS o ON o.ident='18.227.49.73' WHERE u.id=1
0.00081	REPLACE INTO punbb_online (user_id, ident, logged) VALUES(1, '18.227.49.73', 1732824282)
0.00040	SELECT * FROM punbb_online WHERE logged<1732823982
0.00054	SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM punbb_topics AS t INNER JOIN punbb_forums AS f ON f.id=t.forum_id LEFT JOIN punbb_forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id=3) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id=25935 AND t.moved_to IS NULL
0.00006	SELECT search_for, replace_with FROM punbb_censoring
0.00074	SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM punbb_posts AS p INNER JOIN punbb_users AS u ON u.id=p.poster_id INNER JOIN punbb_groups AS g ON g.g_id=u.group_id LEFT JOIN punbb_online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id=25935 ORDER BY p.id LIMIT 0,25
0.00096	UPDATE punbb_topics SET num_views=num_views+1 WHERE id=25935
Total query time: 0.00488 s

Forum Debian Users Gang

Ogłoszenie

#1 2014-06-04 22:48:35

bryn1u - Użytkownik

LXC + Grsecurity - Socket

Kod:

Kod:

#2 2014-06-05 08:45:47

Jacekalex - Podobno człowiek...;)

Re: LXC + Grsecurity - Socket

Kod:

Kod:

Kod:

#3 2014-06-05 12:38:04

bryn1u - Użytkownik

Re: LXC + Grsecurity - Socket

#4 2014-06-05 12:40:42

Jacekalex - Podobno człowiek...;)

Re: LXC + Grsecurity - Socket

#5 2014-06-05 12:50:35

bryn1u - Użytkownik

Re: LXC + Grsecurity - Socket

#6 2014-06-05 14:11:05

Jacekalex - Podobno człowiek...;)

Re: LXC + Grsecurity - Socket

#7 2014-06-10 07:38:04

bryn1u - Użytkownik

Re: LXC + Grsecurity - Socket

#8 2014-06-10 09:22:26

morfik - Cenzor wirtualnego świata

Re: LXC + Grsecurity - Socket

#9 2014-06-10 09:41:26

bryn1u - Użytkownik

Re: LXC + Grsecurity - Socket

Stopka forum

Informacje debugowania