| 1 |
Hi Ed, |
| 2 |
|
| 3 |
First, thank you very kindly for such a long and thoughtful reply. I |
| 4 |
really appreciate it. But I'm still not quite clear on a couple of |
| 5 |
things, so perhaps I can elaborate below? |
| 6 |
|
| 7 |
On Friday 30 April 2004 05:15, Ed Wildgoose wrote: |
| 8 |
> Hi Kevin, |
| 9 |
> |
| 10 |
> I'm just a beginner like you, but here is my take on things |
| 11 |
> |
| 12 |
> >That last sentence describes me, so I go there... |
| 13 |
> > |
| 14 |
> >So I follow the _Gentoo Hardened_ link which points to |
| 15 |
> >http://hardened.gentoo.org from which I get redirected to |
| 16 |
> >http://www.gentoo.org/proj/en/hardened/ |
| 17 |
> > |
| 18 |
> >Here I see a link: _SELinux x86 Install Guide_ which I followed. |
| 19 |
> |
| 20 |
> Yep, looking at the docs you came to reasonable conclusion. However, |
| 21 |
> the fact remains if you re-read that page closely and read the couple |
| 22 |
> of previous threads on this list (in the last few days). You can see |
| 23 |
> that the "Hardened" project (capital H) covers a host of technologies. |
| 24 |
|
| 25 |
Well, I saw that from the beginning. That page (above) lists all of those |
| 26 |
different technologies (or maybe most of them) as the subprojects of the |
| 27 |
Hardened Project. But knowing a little bit about how SELinux works, I |
| 28 |
figured that it was a fundamental part of the Hardened Project and that |
| 29 |
it needed to be integrated from the very beginning; during the install |
| 30 |
process. Plus, with SELinux being the first Subproject listed in the |
| 31 |
collection of Subprojects for Hardened, it lends credence to that |
| 32 |
impression (IMO). And under "6. Resources" on that page, I see an |
| 33 |
Install Guide for x86 architectures (only install guide there), so I used |
| 34 |
it, realizing that it was for only one subproject (SELinux) of the |
| 35 |
Hardened Project, but thinking that I could add in the other subprojects |
| 36 |
after getting a fully functional Gentoo box with SELinux support running. |
| 37 |
|
| 38 |
In responding to my first post in this thread, you initially wrote: |
| 39 |
On Thursday 29 April 2004 18:24, Ed Wildgoose wrote: |
| 40 |
> >after untarring the stage1 tarball |
| 41 |
> >(stage1-pentium4-pie-ssp-2004.0.tar.bz2), there is no |
| 42 |
> >directory /mnt/gentoo/selinux to use as a mountpoint for an selinuxfs |
| 43 |
> > (as |
| 44 |
> |
| 45 |
> I guess that is because you used the hardened stage 1, not the selinux |
| 46 |
> stage 1 ! I think hardened doesn't need selinux? As in they are not |
| 47 |
> equivalent (part of the same team though) |
| 48 |
|
| 49 |
But... |
| 50 |
|
| 51 |
The iso image that I downloaded in accordance with the Gentoo x86 SELinux |
| 52 |
Installation Guide |
| 53 |
(http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml) |
| 54 |
and then burned onto a CD comes right out and says something along the |
| 55 |
lines of: "Welcome to the Gentoo Hardened Project." I mean, I'm reading |
| 56 |
docs for SELinux (an apparently major subproject of the Hardened Project) |
| 57 |
which tell me to get an iso image, and after booting, I get a splash |
| 58 |
screen that states: Hardened Gentoo (cap H). |
| 59 |
|
| 60 |
So, if I understand correctly, I got a Hardened Gentoo iso image (or so it |
| 61 |
calls itself), I got a Hardened stage 1 tarball (found in |
| 62 |
http://gentoo.oregonstate.edu/releases/x86/2004.0/stages/x86/hardened/), |
| 63 |
and I'm reading the SELinux install guide to do this. Where would I find |
| 64 |
an SELinux iso image and an SELinux stage 1 tarball? |
| 65 |
|
| 66 |
I seem to need three different items that were designed to be used with |
| 67 |
each other: iso image, stage 1 tarball (docs say Hardened can only be |
| 68 |
built this way, not via stage2 or 3), and some documentation. Which ones |
| 69 |
do I use to do a Hardened install? Which ones do I use to just do an |
| 70 |
SELinux install? |
| 71 |
|
| 72 |
> Some are patches to gcc or the kernel to basically tackle "stack |
| 73 |
> overflows" (See Ned Ludd's links for a better description"), this means |
| 74 |
> hardened-gcc + a PaX kernel, ie grsecurity). The other side of |
| 75 |
> hardened is kernel level mandatory access controls, ie even root can't |
| 76 |
> do everything (this bring linux up to the security levels of a *well* |
| 77 |
> setup Windows machine, *dig, dig*) - this is the selinux part. |
| 78 |
> |
| 79 |
> So the hardened stages are compiled with a compiler that has added some |
| 80 |
> extra code to watch for the stack being trampled. Selinux stages refer |
| 81 |
> to using a kernel that has access controls *on every file*. |
| 82 |
> |
| 83 |
> Unfortunately you and I have arrived at a time when the gcc stuff is |
| 84 |
> being migrated from an old style way of doing things to a much more |
| 85 |
> gentoo and integrated way. In fact I get the impression that once this |
| 86 |
> is sorted, then the whole of gentoo will likely get the "hardened" |
| 87 |
> (little h) flag set by default...? However, right now, it's slightly |
| 88 |
> broken I think? |
| 89 |
> |
| 90 |
> >Um... I'm trying to build a production server here. Should I stay |
| 91 |
> > away from this stuff? It sounds like kinks and problems and |
| 92 |
> > documentation are still being worked out. If I want a Gentoo server |
| 93 |
> > and I want it to be providing public services on the Internet (albeit |
| 94 |
> > through a firewall), what plan should I be using here (ie, what |
| 95 |
> > combination of boot CD image, stage1 tarball, and documentation URL |
| 96 |
> > should I be using?)? |
| 97 |
> |
| 98 |
> Tough call really... Lets look at it this way. I haven't tried Suse, |
| 99 |
> but I am building my gentoo server to replace a Redhat webserver. I |
| 100 |
> really like the way it just stays up to date, no fiddling round with |
| 101 |
> packages and conf files every time you update. I have also never had a |
| 102 |
> problem with updating to later versions of packages either, which is |
| 103 |
> something that terrifies me on a production machine, and although I |
| 104 |
> have read stories of other people getting caught, it is really easy to |
| 105 |
> roll back to the older package if neccessary! |
| 106 |
> |
| 107 |
> However, the hardened project is taking some really complex stuff and |
| 108 |
> integrating it into the gentoo system so that you can just click a |
| 109 |
> button and have it work. This will be really worth having, but since |
| 110 |
> you are probably a busy sysadmin with little appetite to take risks on |
| 111 |
> a system right now, then I would suggest that you be cautious about |
| 112 |
> getting on the bleeding edge. |
| 113 |
|
| 114 |
Exactly what is it that's bleeding edge right now? I see "bleeding edge" |
| 115 |
and think, "not appropriate for production servers." Is that what you |
| 116 |
mean? So what's bleeding edge? SELinux? All of the Hardened |
| 117 |
subprojects? Just some of them? Which ones? |
| 118 |
|
| 119 |
> |
| 120 |
> Why not look to take the stage2-hardened build (if there is such a |
| 121 |
> thing). And ignore the selinux stuff for the time being? I'm in pretty |
| 122 |
|
| 123 |
From |
| 124 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml: |
| 125 |
================================================ |
| 126 |
8. Stage tarballs and chroot |
| 127 |
|
| 128 |
Selecting the desired stage tarball |
| 129 |
|
| 130 |
Now, you need to decide which one you would like to use as a basis for the |
| 131 |
install if you have not already. |
| 132 |
|
| 133 |
Since we are compiling everything "from-scracth", as is currently required |
| 134 |
by the Gentoo SELinux install... ^^^^^^^^^^^^^^^^^^^^^^^ |
| 135 |
================================================ |
| 136 |
|
| 137 |
> much the same situation, but having 2 gentoo servers already I have a |
| 138 |
> bit more confidence. However, I am considering starting with a stage-x |
| 139 |
> hardened, (and then pretty much following the normal gentoo install) |
| 140 |
> |
| 141 |
> You need some confirmation from the experts, but with the hardened |
| 142 |
> builds, it is basically a normal install but with a different compiler, |
| 143 |
> and choose a pax kernel as well. You need confirmation though as to |
| 144 |
> whether: |
| 145 |
> |
| 146 |
> a) you stick with the hardened gcc ebuild which is now obselete |
| 147 |
> b) upgrade to gcc 3.3.2 which is stable, and add -fstack-protector to |
| 148 |
> your CFLAGS |
| 149 |
> c) Upgrade to gcc 3.3.3-r2 and how that none of the bugs bite (less |
| 150 |
> likely with a stage-2 or stage-3 build...?), and add USE="hardened" |
| 151 |
> |
| 152 |
> b) is the safest for a production machine, and worst case you will have |
| 153 |
> less protection that you wanted, but better than a standard build. |
| 154 |
> Everything should compile ok. |
| 155 |
> |
| 156 |
> >I've already |
| 157 |
> >uncovered a bug in the ebuild for the gs_sources kernel (involving the |
| 158 |
> >Device Mapper patch) which is supposedly for production servers. |
| 159 |
> |
| 160 |
> Bad luck. gs_sources is slightly unstable I think? Well, remember |
| 161 |
|
| 162 |
From the Gentoo Linux Kernel Guide |
| 163 |
(http://www.gentoo.org/doc/en/gentoo-kernel.xml): |
| 164 |
================================================ |
| 165 |
gs-sources |
| 166 |
|
| 167 |
For users to whom desktop interactive performance comes as a secondary |
| 168 |
priority to reliability and hardware support, we have the gs-sources. GS |
| 169 |
stands for Gentoo Stable (creative, aren't we?). This patch set is tuned |
| 170 |
and tested to provide the best support for the latest hardware and |
| 171 |
ensures that your mission critical servers will be up when you need them. |
| 172 |
================================================ |
| 173 |
|
| 174 |
|
| 175 |
> that it isn't a Linus kernel so it is going to be patches that haven't |
| 176 |
> been merged into stable yet.... I think it was just bad luck though, |
| 177 |
> you would presumably have the same problems if you took a stable kernel |
| 178 |
> and added your own patches... |
| 179 |
|
| 180 |
No, I recently patched a plain Linux kernel from kernel.org with the |
| 181 |
Device Mapper patch (and some others) myself and built it and am running |
| 182 |
it on one of my production servers in a SuSE distro. |
| 183 |
|
| 184 |
> Personally I prefer the 2.6 kernels, try |
| 185 |
> -MM for a bleeding edge that seems to be pretty stable. |
| 186 |
|
| 187 |
Well, I need to use OpenAFS for which there is currently no support in the |
| 188 |
2.6.x kernels. |
| 189 |
|
| 190 |
> |
| 191 |
> >I'm |
| 192 |
> >starting to get the impression that Gentoo is just not ready (with or |
| 193 |
> >without Hardened or SELinux) for production servers, |
| 194 |
> |
| 195 |
> Disagree, but in return for possibly finding a few bugs, you get a |
| 196 |
> lovely distribution. Redhat and Suse have plenty of gremlins in my |
| 197 |
> experience. You have been unfortunate to find a few in Gentoo. |
| 198 |
> |
| 199 |
> Personally, I found that all problems I ever found in gentoo were |
| 200 |
> fairly easy to fix, and I wouldn't class myself as much of a linux |
| 201 |
> expert. In contrast I can do a lot more with gentoo than with my |
| 202 |
> redhat machines. Well worth it in my experience. |
| 203 |
> |
| 204 |
> >and almost certainly |
| 205 |
> >not with Hardened or SELinux. |
| 206 |
> |
| 207 |
> Perhaps... I haven't used hardened enough to comment. But from what I |
| 208 |
> have seen, this time next year all linux builds will be "hardened" |
| 209 |
> (little h), and secure sites will use selinux. I can't see selinux |
| 210 |
> becoming mainstream for a good few years yet though. |
| 211 |
> |
| 212 |
> Consider trying selinux only via user-mode linux for now...? |
| 213 |
> |
| 214 |
> >Could someone give me the skinny on this? |
| 215 |
> >Am I barking up the wrong tree trying to use Gentoo to build a |
| 216 |
> > production server? Though I'm no developer, I am a reasonably |
| 217 |
> > sophisticated Linux geek with about 9 years doing sysadmin on Linux |
| 218 |
> > boxen, and I'm having real problems here. Should I go back to SuSE? |
| 219 |
> |
| 220 |
> Nah. You will find gentoo a piece of cake. |
| 221 |
|
| 222 |
Well, that's just it... About 2-3 months ago, I did my first Gentoo |
| 223 |
installation on a non-critical workstation and really liked everything |
| 224 |
about it. So, I am running Gentoo on a workstation I use frequently. I |
| 225 |
really liked the install process, I really liked all the features of |
| 226 |
portage... I mean, after doing that one Gentoo install, I think Gentoo is |
| 227 |
the Cat's Meow in Linux distros, but I'm having real trouble doing even a |
| 228 |
standard Gentoo install right now (2 months later) on this production |
| 229 |
server. I first reported problems with the gs-sources kernel to |
| 230 |
gentoo-user and gentoo-dev lists about a week ago, and John Nilsson on |
| 231 |
the dev list confirmed my problems with device mapper, and found a bug |
| 232 |
report documenting the same problem (Bugzilla Bug 48973 |
| 233 |
gs-sources-2.4.25_pre7-gss-r3 compile error). |
| 234 |
|
| 235 |
> |
| 236 |
> The situation is as clear as this. Gentoo has a dead easy installer, |
| 237 |
> but it is manual. ie you read the docs, type in all the commands in |
| 238 |
|
| 239 |
I'll agree that it is very easy when there are no bugs. It's wonderful. |
| 240 |
I have no problems with manual. Love it, in fact. |
| 241 |
|
| 242 |
> sequence, and you get a build out the other end. After that it takes |
| 243 |
> about 10 mins a month to keep it up and running. Other distros are |
| 244 |
> easier to get going, but to be honest, after I built the first few |
| 245 |
> machines I have absolutely no problem with the manual setup - agreed it |
| 246 |
> looks annoying the first time (Actually I think a small shell script |
| 247 |
|
| 248 |
Not really. |
| 249 |
|
| 250 |
> would just do the whole lot and I wonder why there aren't more basic |
| 251 |
> installers available..?) |
| 252 |
> |
| 253 |
> Suggest that if you have probs then just revert to a normal gentoo |
| 254 |
> build. Follow the install, perhaps with a stage-2 or 3 the first time, |
| 255 |
|
| 256 |
Well, see above... My first install I did a stage1 and no problems |
| 257 |
whatsoever. Now, I can't get gentoo-sources or gs-sources to build in a |
| 258 |
standard (normal) gentoo stage1 process. |
| 259 |
|
| 260 |
> and play with the finished machine. Then try again with hardened or |
| 261 |
> whatever. |
| 262 |
|
| 263 |
As far as I can tell, there is no hardened install guide other than the |
| 264 |
SELinux install guide. |
| 265 |
|
| 266 |
> The point is it is pretty easy when you have done it once, |
| 267 |
> and worth the effort |
| 268 |
|
| 269 |
As I said, I think Gentoo is excellent. That's why I'm working so hard to |
| 270 |
get it up on this server. But right now the effort is tremendous. I've |
| 271 |
been working on this for more than a week and I so far I haven't been |
| 272 |
able to get past the kernel build step because of bugs. |
| 273 |
|
| 274 |
What I really need is for someone with more experience than you or me to |
| 275 |
either say, "Hey Kev, Hardened Gentoo with SELinux and the other |
| 276 |
subprojects will work and this is how you do it: get this iso image, get |
| 277 |
this stage1 tarball, and read these docs (for there are so many of each |
| 278 |
of these three that it's quite difficult to figure out which are meant |
| 279 |
for which) and you'll have a perfectly sound and stable system that is |
| 280 |
fine for use in a production server." or... "Hey Kev, we're really still |
| 281 |
hashing out problems in the Hardened Gentoo project and/or several of the |
| 282 |
subprojects, so you might want to stay away from these subprojects for |
| 283 |
now unless you want to help us test them." |
| 284 |
|
| 285 |
Could some experienced Hardened Project folks say one or the other to me? |
| 286 |
Please? I really think Gentoo is great, and I don't mind investing the |
| 287 |
time to do it up front as long as I can feel somewhat confident that I |
| 288 |
will have a system that is appropriate for a production server when I'm |
| 289 |
done. I just need to know (a) if I am reasonable to have such |
| 290 |
confidence, and (b) how to get there if so. |
| 291 |
|
| 292 |
Ed, thanks again for the long reply. If this post sounds like a rant, |
| 293 |
then I'm sorry. The bottom line is that I'm delighted with everything |
| 294 |
Gentoo has to offer, and I don't mind putting up with minor bugs here and |
| 295 |
there, but I would like to know how to proceed with setting up Hardened |
| 296 |
or if I should even try doing so with a production server. |
| 297 |
|
| 298 |
Thanks to all who read this and apologies if it sounds rantish. |
| 299 |
|
| 300 |
-- |
| 301 |
-Kevin |
| 302 |
|
| 303 |
-- |
| 304 |
gentoo-hardened@g.o mailing list |
Archives