1 |
Hi Folks- |
2 |
|
3 |
I've read a little discussion in the archive on this subject (such as |
4 |
http://www.mail-archive.com/gentoo-hardened@l.g.o/msg00338.html) |
5 |
but not much and not recently. |
6 |
|
7 |
I've also read a little discussion in non-gentoo forums: |
8 |
http://linux.slashdot.org/article.pl?sid=05/11/01/0444221 |
9 |
|
10 |
As I try to do this, it's just dawned on me that by going strictly with |
11 |
gentoo packages, I can have a kernel running from either: |
12 |
|
13 |
xen-sources (which patches the kernel for xen but not for |
14 |
SELinux/PaX/GRSecurity) |
15 |
|
16 |
or |
17 |
|
18 |
hardened-sources (which patches the kernel for SELinux/PaX/GRSecurity |
19 |
but not for xen) |
20 |
|
21 |
If I wanted all four of the Xen/SELinux/PaX/GRSecurity patch sets |
22 |
incorporated into a kernel, any recommendations for doing this? |
23 |
|
24 |
Ideas: |
25 |
|
26 |
1) start with xen-sources and apply the hardened patches by hand (seems |
27 |
like it might be daunting) |
28 |
|
29 |
2) start with hardened-sources and apply the xen patches by hand (also |
30 |
seems daunting though maybe a tad less so) |
31 |
|
32 |
3) start with vanilla-sources and apply gentoo patches, hardened |
33 |
patches, and xen patches by hand (and any others I think I need) |
34 |
|
35 |
4) don't even bother with gentoo kernel packages and just handle the |
36 |
kernel as a software package that's not in portage and get the vanilla |
37 |
kernel tarball and desired patches and do the patching myself by hand |
38 |
|
39 |
Has anyone done anything like this? Is it silly to even think that the |
40 |
hand-applied patches will apply without rejects? |
41 |
|
42 |
Or should I be doing a strictly Xen kernel as the host kernel and if I |
43 |
want SELinux/PaX/GRSecurity, put that in a guest kernel? But doesn't |
44 |
the guest kernel also have to be patched for xen? In which case the |
45 |
original question of getting a kernel patched with all four still applies. |
46 |
|
47 |
I'm so confused.... |
48 |
|
49 |
Thanks. |
50 |
|
51 |
-Kevin |
52 |
-- |
53 |
gentoo-hardened@g.o mailing list |