| 1 |
Chris PeBenito wrote: |
| 2 |
|
| 3 |
>On Tue, 2004-04-27 at 08:58, Ed Wildgoose wrote: |
| 4 |
> |
| 5 |
> |
| 6 |
>>Hi I'm having some teething problems with the 2004.1 cascaded profile. |
| 7 |
>> |
| 8 |
>> |
| 9 |
> |
| 10 |
>I need to know what version of portage you are using. |
| 11 |
> |
| 12 |
> |
| 13 |
|
| 14 |
I'm using 2.0.50-r6 - which should be the latest unmasked build in portage? |
| 15 |
|
| 16 |
I couldn't bootstrap at all with the cascaded profiles, |
| 17 |
bootstrap-cascade.sh would only pickup about 4-5 of the packages, and |
| 18 |
then the script would drop out fairly soon with a portage message asking |
| 19 |
me what to do (presumably the script fed in the empty package, and hence |
| 20 |
the error) |
| 21 |
|
| 22 |
So what I had to do to bootstrap was use the selinux-1.4, and then |
| 23 |
switch back to 2004.1 profile before doing the emerge system. This |
| 24 |
however, didn't work completely - a whole host of packages werent merged |
| 25 |
and I had to write a little script to go through everything in |
| 26 |
profiles/base/packages and check they were actually installed (it left |
| 27 |
me without stuff like ifconfig and other essential tools). However, |
| 28 |
probably a symptom of the same thing, I still have problems emerging |
| 29 |
stuff with a virtual dependency, seems like it isn't finding that base |
| 30 |
directory |
| 31 |
|
| 32 |
Any ideas? |
| 33 |
|
| 34 |
>>compiling (I'm assuming that everything is given as compiler flags now, |
| 35 |
>>so there should be no issues mixing selinux and normal machines with |
| 36 |
>>distcc...?) If not, then is there an easy way to enable this? |
| 37 |
>> |
| 38 |
>> |
| 39 |
> |
| 40 |
>SELinux doesn't care about distcc, just as long as you have it's policy |
| 41 |
>(which should be installed when you merge distcc on a SELinux machine). |
| 42 |
>If you're using hardened gcc, then thats a different story; all of the |
| 43 |
>machines need to have the same version gcc and hardened gcc. |
| 44 |
> |
| 45 |
> |
| 46 |
|
| 47 |
OK, I am confusing selinux with hardened, but what I meant to write was |
| 48 |
that I want a hardened + selinux machine. The docs have suddenly got |
| 49 |
really confused about what hardened means now... At one point you needed |
| 50 |
hardened-gcc, however, right now the hardened gcc appears to be |
| 51 |
deprecated and not in use? Apparently you just need to "use hardened" |
| 52 |
to get the same effect...? I added -fstack-protector to my CFLAGS to |
| 53 |
try and make sure that it is happening as widely as possible though (is |
| 54 |
this sensible). |
| 55 |
|
| 56 |
It's really not clear what needs to be done to get a "hardened" system |
| 57 |
right now? For example, do we need any other flags adding to |
| 58 |
make.conf...? Any chance of a pointer to some updated advice? This is |
| 59 |
my first bash with "hardened", so I'm still rather wet around the ears |
| 60 |
and unsure what I will actually be getting (but I needed to rebuild my |
| 61 |
webserver, so it seems like a good thing to investigate...) |
| 62 |
|
| 63 |
Thanks |
| 64 |
|
| 65 |
Ed W |
| 66 |
|
| 67 |
-- |
| 68 |
gentoo-hardened@g.o mailing list |
Archives