| 1 |
>Again, thanks for the long and thoughtful reply. From it, I think I |
| 2 |
>discovered a part of my problem and that part lies with semantics. What |
| 3 |
>I mean is this: when I see someone say Hardened Gentoo Project I have |
| 4 |
>been thinking that this implicitly involves the SELinux subproject (not |
| 5 |
>as one-and-the-same, but as an implicitly included subproject). After |
| 6 |
>all, SELinux is clearly one of the subprojects of the Hardened Project |
| 7 |
>and apparently a rather major one. From your last post, I now see that |
| 8 |
>one can have a Hardened Gentoo System with SELinux or a Hardened Gentoo |
| 9 |
>system without SELinux. Or at least, I think that's right. Could you |
| 10 |
>confirm that? Can one also have a non-Hardened Gentoo system with |
| 11 |
>SELinux? Is that what one gets by strictly following the SELinux install |
| 12 |
>guide (no mention of special compiler or linker flags in there)? |
| 13 |
> |
| 14 |
> |
| 15 |
> |
| 16 |
Think about "Hardened" with a big "H" meaning the overall project. And |
| 17 |
"hardened" with a little "h" meaning something you can do to your binaries! |
| 18 |
|
| 19 |
SELinux is a set of kernel patches to enforce ACL's on files. You |
| 20 |
probably want this + the hardened gcc (ie "hardened" with a little |
| 21 |
"h"). The only complication is this flux between how the hardened gcc |
| 22 |
is used |
| 23 |
|
| 24 |
Actually I wonder if it might be easier to start with grsecurity in the |
| 25 |
kernel rather than selinux...? At least for us dumbo's who can't read |
| 26 |
the docs properly? I wonder if it is possible to have grsecurity in the |
| 27 |
kernel and also selinux...? (especially under 2.6?) |
| 28 |
|
| 29 |
>But now may I ask: should I use these flags for doing an SELinux install? |
| 30 |
>They are not mentioned in the SELinux install guide. But I'm trying to |
| 31 |
>make this system as secure as reasonably possible right now (without |
| 32 |
>compromising on stability) and so maybe I want a Hardened Gentoo system |
| 33 |
>with SELinux. If so, should I set up these flags in make.conf before I |
| 34 |
>run the bootstrap.sh script? |
| 35 |
> |
| 36 |
> |
| 37 |
|
| 38 |
Forget about selinux. This is independent to your gcc flags. The other |
| 39 |
hardened is all about gcc flags. The flags you refer too are |
| 40 |
"aparently" the old way to do hardened without the hardened-gcc |
| 41 |
compiler... (See a previous thread a few days back where it was |
| 42 |
explained to *me*). |
| 43 |
|
| 44 |
The suggestion I got was to upgrade to the latest stable gcc (3.3.2) and |
| 45 |
add -fstack-protector to your CFLAGS. Once some time has passed and |
| 46 |
>=gcc-3.3.3r2 is in stable then you can remove that CFLAG item and |
| 47 |
replace it with USE="hardened" instead. You could even do that today |
| 48 |
apparently, but beware some problems with the not fully tested gcc-3.3.3 |
| 49 |
|
| 50 |
So hardened and selinux appear to be complementary. The former refers |
| 51 |
to how you build your binaries. The later is a kernel patch. |
| 52 |
|
| 53 |
I'm going to have to stop there though because I am a beginner like |
| 54 |
yourself, and probably starting to give bogus advice if I go any further. |
| 55 |
|
| 56 |
Good luck |
| 57 |
|
| 58 |
Ed W |
| 59 |
|
| 60 |
-- |
| 61 |
gentoo-hardened@g.o mailing list |
Archives