DOSC TWiki snapshot as of mid-2005



Enabling Systrace in Redhat 8.0


As a trained-paranoid OpenBSD user, my first qualm with my new Redhat installation was its lack of systrace. My first major linux task was therefore to get systrace functioning.

Systrace is a tool which lets you monitor running processes on a per system call basis. You may configure policies to restrict untrusted programs to a certain set of system calls and certain parts of the filesystem. You may also elevate priveleges for certain syscalls, e.g. bind to a low numbered port. [ **Update: the linux systrace does not seem to allow this feature. AlexFerguson Mar18 ] When systrace sees a program attempting to execute a system call not in its list, it denies it with a configurable error number or pops up an X application prompting for what to do. Obvious applications of this are to network daemons and desktop networking applications. Programs like xmms, xpdf, and ghostscript might also benefit. Read more about all this on the systrace page,

I will attempt to describe what I did to enable systrace in Redhat 8.0. Actually generating policies given the slightly weakened systrace and some uncooperative X apps may still be a challenge; I hope to post what I do generate on the wiki. [ **Update: look at LinuxSystracePolicies AlexFerguson ]


This procedure involves an unofficial patch to the linux kernel, and plenty of experimental code. I've already managed to hang my kernel once :) I wrote this only after I had finished installing everything, and I did not take notes while installing, so blindly executing the commands I'm going to supply would be a Bad Idea(TM).

Beware of dog.

Get required files

Kernel development tools
In addition to gcc, you need some libraries and, for xconfig, tk. The relevant rpms are libacl-devel, libattr-devel, tk, glibc, tcl, and XFree86-libs. You might also want to get redhat's kernel source for the sake of its config files; this goes by the name of kernel-source.

Patchable kernel source
Currently, Redhat does not use a kernel version to which the systrace patches may be applied. You must get 2.4.20, 2.5.52, or 2.5.59 from (At this date, anyway.) I used 2.4.20, the latest stable version, from

The systrace patch
Get version 1.1 of the patch from for whichever kernel source you chose. I used for 2.4.20.

The systrace userland program
This is the userland utility which speaks to the patched kernel, and it lives at The actual download link I used was

The notification program, gtk-systrace
Get this from the same spot as the systrace itself. The link I used was

Patch the kernel source

Go to /usr/src and unpack the bz2ball you got from Following redhat's lead I symlinked /usr/src/linux-2.4 to the new directory, but this probably doesn't matter. Now cd to this directory, I'll call it /usr/src/linux-2.4 from now on, and apply the patch.

        cd /usr/src
        tar xjf /path/to/linux-xxxxxx.tar.bz2
        ln -s /usr/src/linux-xxxxxx linux-2.4
        cd linux-2.4
        patch -p1 < /path/to/systrace-linux-xxxxxx-v1.1.diff

Compile the patched source

You now need to build yourself a new kernel from the source you made. Writing a complete guide to compiling the linux kernel is a job for a better man than me, and wouldn't you know it he's already done the task: You may find it useful to copy a configuration file from the redhat kernel sources; they are in the configs/ directory and you copy one of your choosing to /usr/src/linux-2.4/.config. Be sure to enable Systrace support in General setup.

The general steps for compiling a kernel are listed here for convenience, but this is not sufficient to guide someone who has not done it before. In particular, see the HOWTO for notes on clean vs mrproper.

        make clean; make mrproper
        make xconfig
        make dep
        vi Makefile
        make bzImage
        make modules
        make modules_install
        make install

Boot your new kernel

After you make install, don't forget to configure your boot loader! make install makes an attempt to configure grub automatically, for people who use grub, but I had to fix the entry for the root device. (It will look like /dev/hdb2, depending on where you are installed. Type mount and look for where / is mounted if you aren't sure.) Again, see the Kernel-HOWTO or other docs on for more information.

Create the systrace device

This one is easy.

        su -c 'mknod -m600 /dev/systrace c 10 223'

Compile systrace

This is easy if and only if you were a good girl/boy and read completely. (Oops.) There is a header in the patched kernel source which the userland utility needs, but doesn't take much effort to find. You can either copy systrace.h from the kernel source to /usr/include/linux/, or edit the Makefile in the systrace userland source so that

        CFLAGS = -Wall $(AM_CFLAGS)


        CFLAGS = -I/usr/src/linux-2.4/include -Wall $(AM_CFLAGS)

Asside from this glitch, the compile is standard.

        tar xzf usr-systrace-snapshot.tar.gz
        cd systrace-1.0
        vi Makefile # see note above
        su -c 'make install'

If you want normal users to be able to use systrace,

        su -c 'chmod 666 /dev/systrace'

Compile gtk-systrace

        tar xzf gtk-systrace-2002-12-01.tar.gz
        cd notification-0.1
        su -c 'make install'

This installs a program called notification in /usr/local/bin. systrace expects its gui to be called /usr/X11R6/bin/xsystrace, so

        su -c 'ln -s /usr/local/bin/notification /usr/X11R6/bin/xsystrace'


You should now be primed and ready to, um, trace :) If there is interest and existing documents (rtfm ;) aren't sufficient, I'll try and write some sort of usage guide for systrace.

AlexFerguson - 16 Mar 2003