Grsecurity 2.0 (kernel 2.4.26) and Mysql

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Grsecurity 2.0 (kernel 2.4.26) and Mysql

Postby adk » Sun Jun 27, 2004 1:46 pm

At this moment I am running some test with grsecurity 2.0 (kernel 2.4.26)

However there are some problems with Mysql. Every time Mysql is started the following is logged:

grsec: signal 11 sent to /usr/libexec/mysqld[mysqld:6460] uid/euid:27/27 gid/egid:27/27, parent /usr/libexec/mysqld[mysqld:13424] uid/euid:27/27 gid/egid:27/27

On the same box Apache (+php) is running.

Does anyone know know how I can solve this problem ??

Thanks

Ad Koster
adk
 
Posts: 6
Joined: Tue Mar 18, 2003 12:53 pm

Postby Naucki » Tue Aug 03, 2004 5:00 pm

i've mysql 4.0.20 / grsec 2.4.26-grsec2 / apache 2.0.50 / php 4.3.8 and no problems. securitylevel medium

on debian woody


signal 11 sound like an hardware/ram problem.
try out memtest.
Naucki
 
Posts: 2
Joined: Sun May 02, 2004 1:00 pm

Seems that Mysqld does a segmentation fault

Postby bsonderm » Thu Aug 05, 2004 9:53 am

Probably Mysqld accesses data outside a data segment. Signal 11 is a segmentation fault and is caused when a process accesses RAM outside it's reserved segments.
Grsecurity detects this and kills the mysqld process, so you can do a strace to see on which function call or signal Mysqld crashes.

e.g. strace /usr/local/mysql/bin/safe_mysqld will start the Mysqld processes.

When you have the line where Mysqld crashes you also have a clue where the bug in Mysql exists. After that ask support from Mysql to fix the problem or use chpax to turn of options for the Mysqld deamon. E.g. chpax -m /usr/local/mysql/bin/mysqld will turn of mprotect() and thus prevent probably Signal 11 Segmentation Faults.

Good Luck
bsonderm
 
Posts: 1
Joined: Thu Aug 05, 2004 9:40 am

Postby spender » Thu Aug 05, 2004 9:08 pm

Again, grsecurity is not killing anything. It is simply logging the sigsegv that would have happened anyway.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby adriano » Mon Aug 09, 2004 11:41 am

If you are running a version of RedHat that uses nptl threads, do the following and it'll fix your problem: export LD_ASSUME_KERNEL=2.4.0 (Thanks to spender for this one)
adriano
 
Posts: 5
Joined: Tue Jun 29, 2004 8:03 am

Postby adk » Sun Aug 15, 2004 4:51 am

adriano wrote:If you are running a version of RedHat that uses nptl threads, do the following and it'll fix your problem: export LD_ASSUME_KERNEL=2.4.0 (Thanks to spender for this one)


Thanks.

This indeed solved my problem with mysql.
adk
 
Posts: 6
Joined: Tue Mar 18, 2003 12:53 pm


Return to grsecurity support