| 1 |
On Thu, 2004-04-29 at 18:24, Ed Wildgoose wrote: |
| 2 |
> >after untarring the stage1 tarball |
| 3 |
> >(stage1-pentium4-pie-ssp-2004.0.tar.bz2), there is no |
| 4 |
> >directory /mnt/gentoo/selinux to use as a mountpoint for an selinuxfs (as |
| 5 |
> > |
| 6 |
> > |
| 7 |
> |
| 8 |
> I guess that is because you used the hardened stage 1, not the selinux |
| 9 |
> stage 1 ! I think hardened doesn't need selinux? As in they are not |
| 10 |
> equivalent (part of the same team though) |
| 11 |
> |
| 12 |
> >I used these settings (below) for my make.conf before running |
| 13 |
> >bootstrap.sh. Should I redo this step using the settings described in |
| 14 |
> >this thread? |
| 15 |
> > |
| 16 |
> > |
| 17 |
> |
| 18 |
> If you see the recent threads, Chris PeBenito has kindly written some |
| 19 |
> good advice to me about similar questions. I think the gist is that |
| 20 |
> previously there was a hardened-gcc ebuild which did all this stuff. In |
| 21 |
> the future you will use >= gcc 3.3.3-r3 and USE="hardened" to get the |
| 22 |
> same effect. But right now you need some conbination of gcc and those |
| 23 |
> flags, and perhaps some voodoo to make it all work. I got the |
| 24 |
> impression that the use flag stuff was on it's way though |
| 25 |
|
| 26 |
Correct >=gcc-3.3.3-r2 includes support. |
| 27 |
It's however not quite perfect yet and thus not ready for full |
| 28 |
production. We have a few pending things left to do and then we can make |
| 29 |
new profiles roll stages etc.. Early adopters welcome to mess around |
| 30 |
just be warned that it's not our final implementation. |
| 31 |
|
| 32 |
Documentation.. Sigh yeah I suppose you all want this, I can't blame you |
| 33 |
either. For now let me point you at the pax docs at |
| 34 |
http://pax.grsecurity.net/docs/ (READ ALL OF THIS!) then when you get |
| 35 |
done there go read http://www.trl.ibm.com/projects/security/ssp/ |
| 36 |
We really want everybody to understand the concepts of why we opt to |
| 37 |
build this way. |
| 38 |
|
| 39 |
I'll try and see if we can muster up a quick start or two in this |
| 40 |
respect when it's time for us to roll those stages. |
| 41 |
|
| 42 |
-peace |
| 43 |
|
| 44 |
> |
| 45 |
> Good luck. I'm interested to hear any better answers myself! |
| 46 |
> |
| 47 |
> Thanks |
| 48 |
> |
| 49 |
> Ed W |
| 50 |
> |
| 51 |
> -- |
| 52 |
> gentoo-hardened@g.o mailing list |
| 53 |
-- |
| 54 |
Ned Ludd <solar@g.o> |
| 55 |
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |
Archives