grsecurity has one "feature" - if you enable sysctl support it starts up with most security features disabled. You must manually enable them using sysctl interface.
Mandrake 9.0 and above now enables sysctl support. Which means that most grsecurity features are actually off on default installation: [bor@iap-pxy-mow1 bor]$ sudo sysctl -a | grep grsec kernel.grsecurity.grsec_lock = 0 kernel.grsecurity.rand_bind = 0 kernel.grsecurity.cap_prot = 0 kernel.grsecurity.rand_rpc = 0 kernel.grsecurity.dmesg = 0 kernel.grsecurity.audit_mount = 0 kernel.grsecurity.altered_pings = 0 kernel.grsecurity.rand_tcp_src_ports = 0 kernel.grsecurity.rand_ip_ids = 0 kernel.grsecurity.rand_pids = 0 kernel.grsecurity.chroot_caps = 0 kernel.grsecurity.timechange_logging = 0 kernel.grsecurity.forkfail_logging = 0 kernel.grsecurity.signal_logging = 0 kernel.grsecurity.execve_limiting = 0 kernel.grsecurity.fifo_restrictions = 0 kernel.grsecurity.linking_restrictions = 0 this is BIG INCOMPATIBLE change comparing with previous versions. How many people installed secure kernel just to be fooled by its "security"? I suggest adding a two line patch that removes check for sysctl and always makes grsecurity to come up with features enabled during compilation. This is much better than leaving users to do it manually (besides, in this case you always can disable them if needed). In case it is agreed patch will follow (do not have handy). -andrey P.S. I am not currently on cooker so I appreciate Cc in replies if any.
