1 |
>Again, thanks for the long and thoughtful reply. From it, I think I |
2 |
>discovered a part of my problem and that part lies with semantics. What |
3 |
>I mean is this: when I see someone say Hardened Gentoo Project I have |
4 |
>been thinking that this implicitly involves the SELinux subproject (not |
5 |
>as one-and-the-same, but as an implicitly included subproject). After |
6 |
>all, SELinux is clearly one of the subprojects of the Hardened Project |
7 |
>and apparently a rather major one. From your last post, I now see that |
8 |
>one can have a Hardened Gentoo System with SELinux or a Hardened Gentoo |
9 |
>system without SELinux. Or at least, I think that's right. Could you |
10 |
>confirm that? Can one also have a non-Hardened Gentoo system with |
11 |
>SELinux? Is that what one gets by strictly following the SELinux install |
12 |
>guide (no mention of special compiler or linker flags in there)? |
13 |
> |
14 |
> |
15 |
> |
16 |
Think about "Hardened" with a big "H" meaning the overall project. And |
17 |
"hardened" with a little "h" meaning something you can do to your binaries! |
18 |
|
19 |
SELinux is a set of kernel patches to enforce ACL's on files. You |
20 |
probably want this + the hardened gcc (ie "hardened" with a little |
21 |
"h"). The only complication is this flux between how the hardened gcc |
22 |
is used |
23 |
|
24 |
Actually I wonder if it might be easier to start with grsecurity in the |
25 |
kernel rather than selinux...? At least for us dumbo's who can't read |
26 |
the docs properly? I wonder if it is possible to have grsecurity in the |
27 |
kernel and also selinux...? (especially under 2.6?) |
28 |
|
29 |
>But now may I ask: should I use these flags for doing an SELinux install? |
30 |
>They are not mentioned in the SELinux install guide. But I'm trying to |
31 |
>make this system as secure as reasonably possible right now (without |
32 |
>compromising on stability) and so maybe I want a Hardened Gentoo system |
33 |
>with SELinux. If so, should I set up these flags in make.conf before I |
34 |
>run the bootstrap.sh script? |
35 |
> |
36 |
> |
37 |
|
38 |
Forget about selinux. This is independent to your gcc flags. The other |
39 |
hardened is all about gcc flags. The flags you refer too are |
40 |
"aparently" the old way to do hardened without the hardened-gcc |
41 |
compiler... (See a previous thread a few days back where it was |
42 |
explained to *me*). |
43 |
|
44 |
The suggestion I got was to upgrade to the latest stable gcc (3.3.2) and |
45 |
add -fstack-protector to your CFLAGS. Once some time has passed and |
46 |
>=gcc-3.3.3r2 is in stable then you can remove that CFLAG item and |
47 |
replace it with USE="hardened" instead. You could even do that today |
48 |
apparently, but beware some problems with the not fully tested gcc-3.3.3 |
49 |
|
50 |
So hardened and selinux appear to be complementary. The former refers |
51 |
to how you build your binaries. The later is a kernel patch. |
52 |
|
53 |
I'm going to have to stop there though because I am a beginner like |
54 |
yourself, and probably starting to give bogus advice if I go any further. |
55 |
|
56 |
Good luck |
57 |
|
58 |
Ed W |
59 |
|
60 |
-- |
61 |
gentoo-hardened@g.o mailing list |