From: Gaz Wilson (dragon_at_dragons.org.uk)
Date: Wed 04 May 2005 - 16:30:55 BST
Self-followup - sorry!
I have sorted grsec with vservers and so far everything is working nicely
now :)
Fingers x'd :)
Thatnks for everyone's help to date.
gary
On Wed, 4 May 2005, Gaz Wilson wrote:
>
>
> Hi again!
>
> I discovered earlier that yes indeed, if you configure the host up with the
> relevant binfmt stuff, the vservers adopt those settings, so all is well and
> good.
>
> I am having trouble with grsec though - I have set it for medium security, and
> yet the vserver refuses to start complaining that the capabilities don't
> exist - yet I checked the kernel and the default capabilities are set
> (monolithically, not as a module) - just checking all kernel options and
> recompilng, in case there's some difference between my working kernel
> with grsec disabled and this one...
>
> In the meantime, if anyone has used grsec along with vservers, I'd be
> interested to hear any stories about making it work!!!
>
> Thanks all!
>
> Gary Wilson
>
>
> On Wed, 4 May 2005, Herbert Poetzl wrote:
>
> > On Wed, May 04, 2005 at 10:01:49AM +0100, Gaz Wilson wrote:
> > >
> > > Hi - sorry for asking again - Normally I like to research such things
> > > properly, but time is not on my side for this project, so I come in
> > > hope of a quick solution.
> > >
> > > I need to install binfmt support within a vserver, however proc is
> > > secured in such a way as it cannot install properly:
> > >
> > > Setting up binfmt-support (1.2.3) ...
> > > mount: permission denied
> > > update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on
> > > /proc/sys/fs/binfmt_misc.
> > > Enabling additional executable binary formats: mount: permission denied
> > > update-binfmts: warning: Couldn't mount the binfmt_misc filesystem on
> > > /proc/sys/fs/binfmt_misc.
> > > binfmt-support.
> >
> > binfmt or more precisely misc binary format support
> > is not available inside vserver, because it need userspace
> > helpers which have to 'run' in the proper context, and
> > that has just not be done yet ... you can use it on the
> > host though ... and it might reach/map into vservers
> > (not tested)
> >
> > best,
> > Herbert
> >
> > > Is there a (good) way to allow this to happen without removing proc security
> > > entirely? I didn't see anything in the docs I have skimmed through...
> > >
> > > thanks and apologies for asking without doing much research first.
> > >
> > > --
> > > / Gary Wilson, aka dragon/dragonlord/dragonv480 \
> > > .'(_.------. e: dragon_at_northernscum.org.uk MSN: dragonv480 .------._)`.
> > > < _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ >
> > > `.( `------' w: http://volvo480.northernscum.org.uk `------' ).'
> > > \ w: http://www.northernscum.org.uk /
> > > _______________________________________________
> > > Vserver mailing list
> > > Vserver_at_list.linux-vserver.org
> > > http://list.linux-vserver.org/mailman/listinfo/vserver
> >
>
>
-- / Gary Wilson, aka dragon/dragonlord/dragonv480 \ .'(_.------. e: dragon_at_northernscum.org.uk MSN: dragonv480 .------._)`. < _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ > `.( `------' w: http://volvo480.northernscum.org.uk `------' ).' \ w: http://www.northernscum.org.uk / _______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver