1 |
Hi Ed- |
2 |
|
3 |
Again, thanks for the long and thoughtful reply. From it, I think I |
4 |
discovered a part of my problem and that part lies with semantics. What |
5 |
I mean is this: when I see someone say Hardened Gentoo Project I have |
6 |
been thinking that this implicitly involves the SELinux subproject (not |
7 |
as one-and-the-same, but as an implicitly included subproject). After |
8 |
all, SELinux is clearly one of the subprojects of the Hardened Project |
9 |
and apparently a rather major one. From your last post, I now see that |
10 |
one can have a Hardened Gentoo System with SELinux or a Hardened Gentoo |
11 |
system without SELinux. Or at least, I think that's right. Could you |
12 |
confirm that? Can one also have a non-Hardened Gentoo system with |
13 |
SELinux? Is that what one gets by strictly following the SELinux install |
14 |
guide (no mention of special compiler or linker flags in there)? |
15 |
|
16 |
In case other folks out there suffer from the same misconception, someone |
17 |
involved in the Project or subprojects might want to include something on |
18 |
the Hardened web pages that says, "...this is what we mean by |
19 |
Hardened..." like you've done here. Or maybe even some naming |
20 |
convention: "Gentoo Hardened with SELinux", "Gentoo Hardened without |
21 |
SELinux, but with these subprojects", etc. I don't know, but that has |
22 |
been a part of my problem: a misunderstanding of definitions. |
23 |
|
24 |
Another part of my problem is that I didn't realize that to install a |
25 |
Hardened Gentoo system without SELinux, one could use the Gentoo Handbook |
26 |
(not the SELinux install guide which is the only install guide at the |
27 |
Hardened web pages) and do something very similar to a normal install. |
28 |
Thanks for clarifying that. |
29 |
|
30 |
Another part of my problem is that (as you said initially) I got the wrong |
31 |
stage1 tarball. Before I read your last post here, I reread the SELinux |
32 |
install guide and noticed that the SELinux stage1 tarballs come from |
33 |
the /experimental branch and nowhere else. So I was reading the SELinux |
34 |
install guide, got an iso image that would allow me to do all sorts of |
35 |
different things (Hardened with SELinux, Hardened without SELinux, etc.), |
36 |
then I got a stage1 tarball that was apparently for Hardened without |
37 |
SELinux, but I'm proceeding according to guidance in the SELinux install |
38 |
guide. I'm sure that accounts for some (many? most?) of my problems. |
39 |
So, my mistake here. I saw a few differences between reality and the |
40 |
SELinux install guide and so I started reading it with an editor's eye, |
41 |
and filling in details and adding stuff of my own in interpretation that |
42 |
wasn't there. I should have stayed exactly with the written docs and I |
43 |
would have avoided this part of my problem. |
44 |
|
45 |
So, one last thing if I could. I was in the midst of doing an SELinux |
46 |
install from the SELinux install guide when I saw this thread (with |
47 |
subject: Current proposed way of installing gentoo _hardened_ (my |
48 |
emphasis because I read it differently now)) and added my questions to it |
49 |
about these compiler and linker flags: |
50 |
On Monday 29 March 2004 01:41, Tóth Attila wrote: |
51 |
> A quote from Ned Ludd: |
52 |
> |
53 |
> CFLAGS="-fPIC -fforce-addr -fomit-frame-pointer -fstack-protector-all" |
54 |
> LDFLAGS="-pie -W,-z,noexecstack -W,-z,noexecheap" |
55 |
|
56 |
I guess that Tóth Attila was asking about Gentoo Hardened without SELinux |
57 |
here? And especially because I was reading the SELinux install guide at |
58 |
the time and doing an SELinux install, I read that and misunderstood him |
59 |
to be asking about doing a Hardened Project install including SELinux. |
60 |
|
61 |
But now may I ask: should I use these flags for doing an SELinux install? |
62 |
They are not mentioned in the SELinux install guide. But I'm trying to |
63 |
make this system as secure as reasonably possible right now (without |
64 |
compromising on stability) and so maybe I want a Hardened Gentoo system |
65 |
with SELinux. If so, should I set up these flags in make.conf before I |
66 |
run the bootstrap.sh script? |
67 |
|
68 |
When I was using the hardened stage1 tarball and I set these flags, many |
69 |
builds included in the bootstrap script failed with complaints about |
70 |
those LDFLAGS. |
71 |
|
72 |
Again... Thanks very kindly for your patience in explaining these details |
73 |
to me, Ed. I think I may be close to a path that will get me to my goal |
74 |
now, and without your help, I would not be. Many thanks. |
75 |
|
76 |
|
77 |
-- |
78 |
-Kevin |
79 |
|
80 |
-- |
81 |
gentoo-hardened@g.o mailing list |