| 1 |
Hi Ed- |
| 2 |
|
| 3 |
Again, thanks for the long and thoughtful reply. From it, I think I |
| 4 |
discovered a part of my problem and that part lies with semantics. What |
| 5 |
I mean is this: when I see someone say Hardened Gentoo Project I have |
| 6 |
been thinking that this implicitly involves the SELinux subproject (not |
| 7 |
as one-and-the-same, but as an implicitly included subproject). After |
| 8 |
all, SELinux is clearly one of the subprojects of the Hardened Project |
| 9 |
and apparently a rather major one. From your last post, I now see that |
| 10 |
one can have a Hardened Gentoo System with SELinux or a Hardened Gentoo |
| 11 |
system without SELinux. Or at least, I think that's right. Could you |
| 12 |
confirm that? Can one also have a non-Hardened Gentoo system with |
| 13 |
SELinux? Is that what one gets by strictly following the SELinux install |
| 14 |
guide (no mention of special compiler or linker flags in there)? |
| 15 |
|
| 16 |
In case other folks out there suffer from the same misconception, someone |
| 17 |
involved in the Project or subprojects might want to include something on |
| 18 |
the Hardened web pages that says, "...this is what we mean by |
| 19 |
Hardened..." like you've done here. Or maybe even some naming |
| 20 |
convention: "Gentoo Hardened with SELinux", "Gentoo Hardened without |
| 21 |
SELinux, but with these subprojects", etc. I don't know, but that has |
| 22 |
been a part of my problem: a misunderstanding of definitions. |
| 23 |
|
| 24 |
Another part of my problem is that I didn't realize that to install a |
| 25 |
Hardened Gentoo system without SELinux, one could use the Gentoo Handbook |
| 26 |
(not the SELinux install guide which is the only install guide at the |
| 27 |
Hardened web pages) and do something very similar to a normal install. |
| 28 |
Thanks for clarifying that. |
| 29 |
|
| 30 |
Another part of my problem is that (as you said initially) I got the wrong |
| 31 |
stage1 tarball. Before I read your last post here, I reread the SELinux |
| 32 |
install guide and noticed that the SELinux stage1 tarballs come from |
| 33 |
the /experimental branch and nowhere else. So I was reading the SELinux |
| 34 |
install guide, got an iso image that would allow me to do all sorts of |
| 35 |
different things (Hardened with SELinux, Hardened without SELinux, etc.), |
| 36 |
then I got a stage1 tarball that was apparently for Hardened without |
| 37 |
SELinux, but I'm proceeding according to guidance in the SELinux install |
| 38 |
guide. I'm sure that accounts for some (many? most?) of my problems. |
| 39 |
So, my mistake here. I saw a few differences between reality and the |
| 40 |
SELinux install guide and so I started reading it with an editor's eye, |
| 41 |
and filling in details and adding stuff of my own in interpretation that |
| 42 |
wasn't there. I should have stayed exactly with the written docs and I |
| 43 |
would have avoided this part of my problem. |
| 44 |
|
| 45 |
So, one last thing if I could. I was in the midst of doing an SELinux |
| 46 |
install from the SELinux install guide when I saw this thread (with |
| 47 |
subject: Current proposed way of installing gentoo _hardened_ (my |
| 48 |
emphasis because I read it differently now)) and added my questions to it |
| 49 |
about these compiler and linker flags: |
| 50 |
On Monday 29 March 2004 01:41, Tóth Attila wrote: |
| 51 |
> A quote from Ned Ludd: |
| 52 |
> |
| 53 |
> CFLAGS="-fPIC -fforce-addr -fomit-frame-pointer -fstack-protector-all" |
| 54 |
> LDFLAGS="-pie -W,-z,noexecstack -W,-z,noexecheap" |
| 55 |
|
| 56 |
I guess that Tóth Attila was asking about Gentoo Hardened without SELinux |
| 57 |
here? And especially because I was reading the SELinux install guide at |
| 58 |
the time and doing an SELinux install, I read that and misunderstood him |
| 59 |
to be asking about doing a Hardened Project install including SELinux. |
| 60 |
|
| 61 |
But now may I ask: should I use these flags for doing an SELinux install? |
| 62 |
They are not mentioned in the SELinux install guide. But I'm trying to |
| 63 |
make this system as secure as reasonably possible right now (without |
| 64 |
compromising on stability) and so maybe I want a Hardened Gentoo system |
| 65 |
with SELinux. If so, should I set up these flags in make.conf before I |
| 66 |
run the bootstrap.sh script? |
| 67 |
|
| 68 |
When I was using the hardened stage1 tarball and I set these flags, many |
| 69 |
builds included in the bootstrap script failed with complaints about |
| 70 |
those LDFLAGS. |
| 71 |
|
| 72 |
Again... Thanks very kindly for your patience in explaining these details |
| 73 |
to me, Ed. I think I may be close to a path that will get me to my goal |
| 74 |
now, and without your help, I would not be. Many thanks. |
| 75 |
|
| 76 |
|
| 77 |
-- |
| 78 |
-Kevin |
| 79 |
|
| 80 |
-- |
| 81 |
gentoo-hardened@g.o mailing list |
Archives