Fix PaX flags and grub2

Tags: #<Tag:0x00007f76fae2e500> #<Tag:0x00007f76fae2e398> #<Tag:0x00007f76fae2e280> #<Tag:0x00007f76fae2e0f0>

PaX exceptions for Grub2

Let’s say apt-get or something similar complains:

Setting up grub-pc (1.99-27+deb7u3) …
/var/lib/dpkg/info/grub-pc.postinst: line 311: 17543 Killed grub-mkdevicemap --no-floppy
dpkg: error processing grub-pc (–configure):
subprocess installed post-installation script returned error exit status 137
dpkg: dependency problems prevent configuration of grub2:
grub2 depends on grub-pc (= 1.99-27+deb7u3); however:
Package grub-pc is not configured yet.

You get something like this in the syslog during the update:

[7834883.825187] PAX: From 192.168.X.Y: execution attempt in: <stack>, 3ff607be000-3ff607df000 3fffffde000
[7834883.825655] PAX: terminating task: /usr/sbin/grub-mkdevicemap(grub-mkdevicema):18011, uid/euid: 0/0, PC: 000003ff607de2e0, SP: 000003ff607dd138
[7834883.826188] PAX: bytes at PC: 41 bb b0 26 40 00 49 ba d0 e2 7d 60 ff 03 00 00 49 ff e3 90 
[7834883.827555] PAX: bytes at SP-8: 0000000000000005 0000000000402aa5 0000000000000000 0000000000000000 0000000000000400 0000000000624ef0 0000000000000000 0000000000000000 0000000000000000 000003b4d8591530 000000000000002f 

With POSIX ACLs you solve it:

setfattr -n user.pax.flags -v "m"  /usr/sbin/grub-mkdevicemap
setfattr -n user.pax.flags -v "m"  /usr/sbin/grub-*
setfattr -n user.pax.flags -v "m"  /usr/bin/grub-mount
setfattr -n user.pax.flags -v "m"  /usr/bin/grub-script-check
setfattr -n user.pax.flags -v "m"  /usr/lib/grub/i386-pc/grub-setup

Easy :wink: