| 1 |
Hi Kevin, |
| 2 |
|
| 3 |
>Well, I saw that from the beginning. That page (above) lists all of those |
| 4 |
>different technologies (or maybe most of them) as the subprojects of the |
| 5 |
>Hardened Project. But knowing a little bit about how SELinux works, I |
| 6 |
>figured that it was a fundamental part of the Hardened Project and that |
| 7 |
>it needed to be integrated from the very beginning; during the install |
| 8 |
>process. Plus, with SELinux being the first Subproject listed in the |
| 9 |
>collection of Subprojects for Hardened, it lends credence to that |
| 10 |
>impression (IMO). And under "6. Resources" on that page, I see an |
| 11 |
>Install Guide for x86 architectures (only install guide there), so I used |
| 12 |
>it, realizing that it was for only one subproject (SELinux) of the |
| 13 |
>Hardened Project, but thinking that I could add in the other subprojects |
| 14 |
>after getting a fully functional Gentoo box with SELinux support running. |
| 15 |
> |
| 16 |
> |
| 17 |
|
| 18 |
I think you are getting a bit frustrated with the docs, not gentoo. |
| 19 |
Lets just agree that the docs are "misleading", but lets focus on what I |
| 20 |
think are the facts |
| 21 |
|
| 22 |
- For the purposes of argument, there are three builds of gentoo: |
| 23 |
Normal, hardened, and selinux. |
| 24 |
- Your "Hardened" install guide is only for selinux. |
| 25 |
- Hardened is basically just a normal install, but using a different set |
| 26 |
of compiler options (which probably means a slightly different stage1 |
| 27 |
build, but I'm sure if you new what you were doing you could start with |
| 28 |
a normal stage-1). |
| 29 |
- Selinux seems to me to be too undeveloped if you aren't quite sure |
| 30 |
what is going on and prepared to fix a few things. (IMHO). Give it a |
| 31 |
try and see if you can live with it, otherwise come back in X months. |
| 32 |
- Hardened seems to be the way ahead, but right now gentoo is |
| 33 |
transitioning from an old style tricky to use method to a new and slick |
| 34 |
method. Work around it, it won't be a problem in the long run |
| 35 |
- Selinux *only* needs to be built from stage 1 using a special boot |
| 36 |
disk, (I think because it needs the /selinux partition to be |
| 37 |
available). Everything else including hardened can be built from a |
| 38 |
knoppix CD, or whatever you have handy. There are stage2/3 tarballs in |
| 39 |
the same place you got your stage 1 tarball (and in fact there are |
| 40 |
Pent4, etc hardened stages if you go up and down a few dirs.). |
| 41 |
- To install hardened, pretty much follow the normal install I think |
| 42 |
(use your head though, perhaps skim the selinux install docs in case |
| 43 |
there are some tips there) |
| 44 |
|
| 45 |
- *YOU CAN CONVERT ANY INSTALL TO SELINUX LATER ON....* |
| 46 |
|
| 47 |
>The iso image that I downloaded in accordance with the Gentoo x86 SELinux |
| 48 |
>Installation Guide |
| 49 |
>(http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml) |
| 50 |
>and then burned onto a CD comes right out and says something along the |
| 51 |
>lines of: "Welcome to the Gentoo Hardened Project." I mean, I'm reading |
| 52 |
>docs for SELinux (an apparently major subproject of the Hardened Project) |
| 53 |
>which tell me to get an iso image, and after booting, I get a splash |
| 54 |
>screen that states: Hardened Gentoo (cap H). |
| 55 |
> |
| 56 |
> |
| 57 |
> |
| 58 |
I'll have to check, but you got the right boot cd, but the wrong stage |
| 59 |
install. Its all moot anyway, use ANY boot cd to install hardened and |
| 60 |
the normal install instructions |
| 61 |
|
| 62 |
>(docs say Hardened can only be |
| 63 |
>built this way, not via stage2 or 3), and some documentation. |
| 64 |
> |
| 65 |
|
| 66 |
They *mean* Selinux can only be built as a stage 1. There are stages |
| 67 |
2/3 for hardened at the same link you sent earlier. (Se stages are |
| 68 |
under experimental) |
| 69 |
|
| 70 |
|
| 71 |
>Exactly what is it that's bleeding edge right now? I see "bleeding edge" |
| 72 |
>and think, "not appropriate for production servers." Is that what you |
| 73 |
>mean? So what's bleeding edge? SELinux? All of the Hardened |
| 74 |
>subprojects? Just some of them? Which ones? |
| 75 |
> |
| 76 |
> |
| 77 |
> |
| 78 |
Just my 2p, but selinux is only for people who know what they are doing |
| 79 |
right now. I suggest that you get a spare box setup and start playing. |
| 80 |
However, otherwise I suspect that too many things will go wrong. |
| 81 |
|
| 82 |
The other stuff I *think* is ready for prime time, and even if it were |
| 83 |
slightly buggy, it would be worth the effort. Ultimately you are |
| 84 |
talking about a few compiler options. If stuff seems a bit wierd, just |
| 85 |
rebuild without the hardened options. Shouldn't be any worse than that |
| 86 |
|
| 87 |
>From |
| 88 |
>http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml: |
| 89 |
>================================================ |
| 90 |
>8. Stage tarballs and chroot |
| 91 |
> |
| 92 |
>Selecting the desired stage tarball |
| 93 |
> |
| 94 |
>Now, you need to decide which one you would like to use as a basis for the |
| 95 |
>install if you have not already. |
| 96 |
> |
| 97 |
>Since we are compiling everything "from-scracth", as is currently required |
| 98 |
>by the Gentoo SELinux install... ^^^^^^^^^^^^^^^^^^^^^^^ |
| 99 |
>================================================ |
| 100 |
> |
| 101 |
> |
| 102 |
> |
| 103 |
Yes, but we agree that this is talking about the selinux stuff, not the |
| 104 |
hardened stuff. The former means a kernel which enforces ACLs, the |
| 105 |
later refers to the rest of the system being built with a compiler that |
| 106 |
adds traps for stack overflows (and a bit more...) |
| 107 |
|
| 108 |
Yes, the docs are misleading, but nothing worse than that. |
| 109 |
|
| 110 |
>From the Gentoo Linux Kernel Guide |
| 111 |
>(http://www.gentoo.org/doc/en/gentoo-kernel.xml): |
| 112 |
>================================================ |
| 113 |
>gs-sources |
| 114 |
> |
| 115 |
>For users to whom desktop interactive performance comes as a secondary |
| 116 |
>priority to reliability and hardware support, we have the gs-sources. GS |
| 117 |
>stands for Gentoo Stable (creative, aren't we?). This patch set is tuned |
| 118 |
>and tested to provide the best support for the latest hardware and |
| 119 |
>ensures that your mission critical servers will be up when you need them. |
| 120 |
>================================================ |
| 121 |
> |
| 122 |
> |
| 123 |
> |
| 124 |
|
| 125 |
Fair point, but I have had quite a few problems with stock kernels not |
| 126 |
compiling with extra patches. The intent is clearly to have a stable |
| 127 |
patch set, but at the end of the day, this kernel is composed of patch |
| 128 |
sets sent to the kernel dev list, and then applied here. It's not |
| 129 |
actually something that consists only of patches written by some gentoo |
| 130 |
person. It's not a lot different really to the old -mm or -ac or -ck |
| 131 |
kernel sets. |
| 132 |
|
| 133 |
Perhaps try WOLK instead? This has similar goals of stability, but for |
| 134 |
sure I have had problems compiling with certain combinations of |
| 135 |
options... I guess that's why the real kernel tree trails these various |
| 136 |
patch sets. |
| 137 |
|
| 138 |
Sorry... |
| 139 |
|
| 140 |
>No, I recently patched a plain Linux kernel from kernel.org with the |
| 141 |
>Device Mapper patch (and some others) myself and built it and am running |
| 142 |
>it on one of my production servers in a SuSE distro. |
| 143 |
> |
| 144 |
> |
| 145 |
> |
| 146 |
|
| 147 |
Sounds like the thing to do then. Keep it mostly stable and only apply |
| 148 |
the patches you need. gs-sources is just this, but adding in lots more |
| 149 |
patches... |
| 150 |
|
| 151 |
>Well, I need to use OpenAFS for which there is currently no support in the |
| 152 |
>2.6.x kernels. |
| 153 |
> |
| 154 |
> |
| 155 |
> |
| 156 |
Ahh. Anyone working on it? 2.6-MM has readonly, no security AFS... |
| 157 |
|
| 158 |
>Well, see above... My first install I did a stage1 and no problems |
| 159 |
>whatsoever. Now, I can't get gentoo-sources or gs-sources to build in a |
| 160 |
>standard (normal) gentoo stage1 process. |
| 161 |
> |
| 162 |
> |
| 163 |
> |
| 164 |
|
| 165 |
OK, do the same again, but starting with a hardened-stage1 this time. |
| 166 |
Should be identical, except different compiler options were used. No |
| 167 |
different really to the way the pent4 build is different to the pent3 |
| 168 |
build... (roughly) |
| 169 |
|
| 170 |
As for kernel. Pick another one... Or roll back to a previous |
| 171 |
version... Or build your own... |
| 172 |
|
| 173 |
>As far as I can tell, there is no hardened install guide other than the |
| 174 |
>SELinux install guide. |
| 175 |
> |
| 176 |
> |
| 177 |
> |
| 178 |
|
| 179 |
I think there is no reason for one yet? I would expect the docs and |
| 180 |
situation to be changing when the new gcc goes live. Until then I think |
| 181 |
we just need to read the list and work out what the transition is. |
| 182 |
|
| 183 |
>What I really need is for someone with more experience than you or me to |
| 184 |
>either say, "Hey Kev, Hardened Gentoo with SELinux and the other |
| 185 |
>subprojects will work and this is how you do it: get this iso image, get |
| 186 |
>this stage1 tarball, and read these docs (for there are so many of each |
| 187 |
>of these three that it's quite difficult to figure out which are meant |
| 188 |
>for which) and you'll have a perfectly sound and stable system that is |
| 189 |
>fine for use in a production server." or... "Hey Kev, we're really still |
| 190 |
>hashing out problems in the Hardened Gentoo project and/or several of the |
| 191 |
>subprojects, so you might want to stay away from these subprojects for |
| 192 |
>now unless you want to help us test them." |
| 193 |
> |
| 194 |
> |
| 195 |
> |
| 196 |
|
| 197 |
OK, get any boot cd, get a stage2/3 hardened image (can't see the point |
| 198 |
of building too much stuff). Then pick a kernel that actually works |
| 199 |
with your .config file! |
| 200 |
|
| 201 |
You need to get one important question answered though! What to do |
| 202 |
while the gcc ebuild transitions. Do you stick with hardened-gcc |
| 203 |
package, or move to the stable, or move to the testing build and work |
| 204 |
around any problems... Not sure which is appropriate for a production |
| 205 |
box. |
| 206 |
|
| 207 |
I think stable build is safest, but you will be compiling stuff without |
| 208 |
all the hardened options, so expect to come back later and recompile |
| 209 |
those packages. (Starting with a stage2/3 will make this easier...) |
| 210 |
|
| 211 |
Good luck |
| 212 |
|
| 213 |
Ed W |
| 214 |
|
| 215 |
-- |
| 216 |
gentoo-hardened@g.o mailing list |
Archives