On Thursday, July 14, 2011 18:52:04 Anthony G. Basile wrote:
> 2) The choice of a hardened kernel is made by emergeing
> hardened-sources, configuring, compiling, booting.  There is no use flag
> for this choice per se.  That means that virtual/linux-sources would
> remove the condition RDEPEND:
> 
>     hardened? ( =sys-kernel/hardened-sources-2.6* )
> 
> and simply replace it with
> 
>     =sys-kernel/hardened-sources-2.6*

i think this change can be made regardless of any other.  the hardened-sources 
package always provides a kernel, so there is no need to require USE=hardened 
in order for this to satisfy the virtual.

> 3) Since a hardened kernel can be configure with various flavors of
> "pax" or "grsec" or "selinux", there should be useflags to reflect
> userland needs to conform.  There already is a "selinux" flag which is
> set by selinux profiles. Currently we don't see a need for a "grsec"
> flag, however, there is a need for a "pax" global use flag which we
> propose calling "pax_kernel".  (If nothing else to distinguish it from
> app-arch/pax.)
> 
> Userland binaries which will run under a pax enabled kernel may need
> special treatment to run, or else they'll be killed by the kernel.  The
> best example here is an RWX mmapping.  Although the ideal case is to
> "fix the code" this is not always feasible and so binaries will still
> need markings with paxctl -m.

if `paxctl` is installed, then i say always run `paxctl` on the problematic 
binaries regardless of USE flags.  have the hardened-sources package depend on 
paxctl, and then that takes care of the dependency.
-mike