1 |
Hi Kevin, |
2 |
|
3 |
>Well, I saw that from the beginning. That page (above) lists all of those |
4 |
>different technologies (or maybe most of them) as the subprojects of the |
5 |
>Hardened Project. But knowing a little bit about how SELinux works, I |
6 |
>figured that it was a fundamental part of the Hardened Project and that |
7 |
>it needed to be integrated from the very beginning; during the install |
8 |
>process. Plus, with SELinux being the first Subproject listed in the |
9 |
>collection of Subprojects for Hardened, it lends credence to that |
10 |
>impression (IMO). And under "6. Resources" on that page, I see an |
11 |
>Install Guide for x86 architectures (only install guide there), so I used |
12 |
>it, realizing that it was for only one subproject (SELinux) of the |
13 |
>Hardened Project, but thinking that I could add in the other subprojects |
14 |
>after getting a fully functional Gentoo box with SELinux support running. |
15 |
> |
16 |
> |
17 |
|
18 |
I think you are getting a bit frustrated with the docs, not gentoo. |
19 |
Lets just agree that the docs are "misleading", but lets focus on what I |
20 |
think are the facts |
21 |
|
22 |
- For the purposes of argument, there are three builds of gentoo: |
23 |
Normal, hardened, and selinux. |
24 |
- Your "Hardened" install guide is only for selinux. |
25 |
- Hardened is basically just a normal install, but using a different set |
26 |
of compiler options (which probably means a slightly different stage1 |
27 |
build, but I'm sure if you new what you were doing you could start with |
28 |
a normal stage-1). |
29 |
- Selinux seems to me to be too undeveloped if you aren't quite sure |
30 |
what is going on and prepared to fix a few things. (IMHO). Give it a |
31 |
try and see if you can live with it, otherwise come back in X months. |
32 |
- Hardened seems to be the way ahead, but right now gentoo is |
33 |
transitioning from an old style tricky to use method to a new and slick |
34 |
method. Work around it, it won't be a problem in the long run |
35 |
- Selinux *only* needs to be built from stage 1 using a special boot |
36 |
disk, (I think because it needs the /selinux partition to be |
37 |
available). Everything else including hardened can be built from a |
38 |
knoppix CD, or whatever you have handy. There are stage2/3 tarballs in |
39 |
the same place you got your stage 1 tarball (and in fact there are |
40 |
Pent4, etc hardened stages if you go up and down a few dirs.). |
41 |
- To install hardened, pretty much follow the normal install I think |
42 |
(use your head though, perhaps skim the selinux install docs in case |
43 |
there are some tips there) |
44 |
|
45 |
- *YOU CAN CONVERT ANY INSTALL TO SELINUX LATER ON....* |
46 |
|
47 |
>The iso image that I downloaded in accordance with the Gentoo x86 SELinux |
48 |
>Installation Guide |
49 |
>(http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml) |
50 |
>and then burned onto a CD comes right out and says something along the |
51 |
>lines of: "Welcome to the Gentoo Hardened Project." I mean, I'm reading |
52 |
>docs for SELinux (an apparently major subproject of the Hardened Project) |
53 |
>which tell me to get an iso image, and after booting, I get a splash |
54 |
>screen that states: Hardened Gentoo (cap H). |
55 |
> |
56 |
> |
57 |
> |
58 |
I'll have to check, but you got the right boot cd, but the wrong stage |
59 |
install. Its all moot anyway, use ANY boot cd to install hardened and |
60 |
the normal install instructions |
61 |
|
62 |
>(docs say Hardened can only be |
63 |
>built this way, not via stage2 or 3), and some documentation. |
64 |
> |
65 |
|
66 |
They *mean* Selinux can only be built as a stage 1. There are stages |
67 |
2/3 for hardened at the same link you sent earlier. (Se stages are |
68 |
under experimental) |
69 |
|
70 |
|
71 |
>Exactly what is it that's bleeding edge right now? I see "bleeding edge" |
72 |
>and think, "not appropriate for production servers." Is that what you |
73 |
>mean? So what's bleeding edge? SELinux? All of the Hardened |
74 |
>subprojects? Just some of them? Which ones? |
75 |
> |
76 |
> |
77 |
> |
78 |
Just my 2p, but selinux is only for people who know what they are doing |
79 |
right now. I suggest that you get a spare box setup and start playing. |
80 |
However, otherwise I suspect that too many things will go wrong. |
81 |
|
82 |
The other stuff I *think* is ready for prime time, and even if it were |
83 |
slightly buggy, it would be worth the effort. Ultimately you are |
84 |
talking about a few compiler options. If stuff seems a bit wierd, just |
85 |
rebuild without the hardened options. Shouldn't be any worse than that |
86 |
|
87 |
>From |
88 |
>http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml: |
89 |
>================================================ |
90 |
>8. Stage tarballs and chroot |
91 |
> |
92 |
>Selecting the desired stage tarball |
93 |
> |
94 |
>Now, you need to decide which one you would like to use as a basis for the |
95 |
>install if you have not already. |
96 |
> |
97 |
>Since we are compiling everything "from-scracth", as is currently required |
98 |
>by the Gentoo SELinux install... ^^^^^^^^^^^^^^^^^^^^^^^ |
99 |
>================================================ |
100 |
> |
101 |
> |
102 |
> |
103 |
Yes, but we agree that this is talking about the selinux stuff, not the |
104 |
hardened stuff. The former means a kernel which enforces ACLs, the |
105 |
later refers to the rest of the system being built with a compiler that |
106 |
adds traps for stack overflows (and a bit more...) |
107 |
|
108 |
Yes, the docs are misleading, but nothing worse than that. |
109 |
|
110 |
>From the Gentoo Linux Kernel Guide |
111 |
>(http://www.gentoo.org/doc/en/gentoo-kernel.xml): |
112 |
>================================================ |
113 |
>gs-sources |
114 |
> |
115 |
>For users to whom desktop interactive performance comes as a secondary |
116 |
>priority to reliability and hardware support, we have the gs-sources. GS |
117 |
>stands for Gentoo Stable (creative, aren't we?). This patch set is tuned |
118 |
>and tested to provide the best support for the latest hardware and |
119 |
>ensures that your mission critical servers will be up when you need them. |
120 |
>================================================ |
121 |
> |
122 |
> |
123 |
> |
124 |
|
125 |
Fair point, but I have had quite a few problems with stock kernels not |
126 |
compiling with extra patches. The intent is clearly to have a stable |
127 |
patch set, but at the end of the day, this kernel is composed of patch |
128 |
sets sent to the kernel dev list, and then applied here. It's not |
129 |
actually something that consists only of patches written by some gentoo |
130 |
person. It's not a lot different really to the old -mm or -ac or -ck |
131 |
kernel sets. |
132 |
|
133 |
Perhaps try WOLK instead? This has similar goals of stability, but for |
134 |
sure I have had problems compiling with certain combinations of |
135 |
options... I guess that's why the real kernel tree trails these various |
136 |
patch sets. |
137 |
|
138 |
Sorry... |
139 |
|
140 |
>No, I recently patched a plain Linux kernel from kernel.org with the |
141 |
>Device Mapper patch (and some others) myself and built it and am running |
142 |
>it on one of my production servers in a SuSE distro. |
143 |
> |
144 |
> |
145 |
> |
146 |
|
147 |
Sounds like the thing to do then. Keep it mostly stable and only apply |
148 |
the patches you need. gs-sources is just this, but adding in lots more |
149 |
patches... |
150 |
|
151 |
>Well, I need to use OpenAFS for which there is currently no support in the |
152 |
>2.6.x kernels. |
153 |
> |
154 |
> |
155 |
> |
156 |
Ahh. Anyone working on it? 2.6-MM has readonly, no security AFS... |
157 |
|
158 |
>Well, see above... My first install I did a stage1 and no problems |
159 |
>whatsoever. Now, I can't get gentoo-sources or gs-sources to build in a |
160 |
>standard (normal) gentoo stage1 process. |
161 |
> |
162 |
> |
163 |
> |
164 |
|
165 |
OK, do the same again, but starting with a hardened-stage1 this time. |
166 |
Should be identical, except different compiler options were used. No |
167 |
different really to the way the pent4 build is different to the pent3 |
168 |
build... (roughly) |
169 |
|
170 |
As for kernel. Pick another one... Or roll back to a previous |
171 |
version... Or build your own... |
172 |
|
173 |
>As far as I can tell, there is no hardened install guide other than the |
174 |
>SELinux install guide. |
175 |
> |
176 |
> |
177 |
> |
178 |
|
179 |
I think there is no reason for one yet? I would expect the docs and |
180 |
situation to be changing when the new gcc goes live. Until then I think |
181 |
we just need to read the list and work out what the transition is. |
182 |
|
183 |
>What I really need is for someone with more experience than you or me to |
184 |
>either say, "Hey Kev, Hardened Gentoo with SELinux and the other |
185 |
>subprojects will work and this is how you do it: get this iso image, get |
186 |
>this stage1 tarball, and read these docs (for there are so many of each |
187 |
>of these three that it's quite difficult to figure out which are meant |
188 |
>for which) and you'll have a perfectly sound and stable system that is |
189 |
>fine for use in a production server." or... "Hey Kev, we're really still |
190 |
>hashing out problems in the Hardened Gentoo project and/or several of the |
191 |
>subprojects, so you might want to stay away from these subprojects for |
192 |
>now unless you want to help us test them." |
193 |
> |
194 |
> |
195 |
> |
196 |
|
197 |
OK, get any boot cd, get a stage2/3 hardened image (can't see the point |
198 |
of building too much stuff). Then pick a kernel that actually works |
199 |
with your .config file! |
200 |
|
201 |
You need to get one important question answered though! What to do |
202 |
while the gcc ebuild transitions. Do you stick with hardened-gcc |
203 |
package, or move to the stable, or move to the testing build and work |
204 |
around any problems... Not sure which is appropriate for a production |
205 |
box. |
206 |
|
207 |
I think stable build is safest, but you will be compiling stuff without |
208 |
all the hardened options, so expect to come back later and recompile |
209 |
those packages. (Starting with a stage2/3 will make this easier...) |
210 |
|
211 |
Good luck |
212 |
|
213 |
Ed W |
214 |
|
215 |
-- |
216 |
gentoo-hardened@g.o mailing list |