1 |
On Thursday 29 April 2004 19:03, Ned Ludd wrote: |
2 |
> On Thu, 2004-04-29 at 18:24, Ed Wildgoose wrote: |
3 |
> > >after untarring the stage1 tarball |
4 |
> > >(stage1-pentium4-pie-ssp-2004.0.tar.bz2), there is no |
5 |
> > >directory /mnt/gentoo/selinux to use as a mountpoint for an |
6 |
> > > selinuxfs (as |
7 |
> > |
8 |
> > I guess that is because you used the hardened stage 1, not the |
9 |
> > selinux stage 1 ! I think hardened doesn't need selinux? As in they |
10 |
> > are not equivalent (part of the same team though) |
11 |
|
12 |
Uh... sorry, but I'm confused here. |
13 |
|
14 |
I was in the middle of reading |
15 |
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?full=1 under "Is |
16 |
GRP Available?" and it mentions the Gentoo Hardened project: |
17 |
|
18 |
"The _Gentoo Hardened_ project offers their own GRP set (and stages) |
19 |
focused on building a proactively secure system. Anyone looking to build |
20 |
a server on the x86 architecture should investigate this option." |
21 |
|
22 |
That last sentence describes me, so I go there... |
23 |
|
24 |
So I follow the _Gentoo Hardened_ link which points to |
25 |
http://hardened.gentoo.org from which I get redirected to |
26 |
http://www.gentoo.org/proj/en/hardened/ |
27 |
|
28 |
Here I see a link: _SELinux x86 Install Guide_ which I followed. |
29 |
|
30 |
And now I'm at that URL that I originally listed as my source of docs for |
31 |
doing this install. |
32 |
|
33 |
I started with the liveCD mentioned in that URL: |
34 |
|
35 |
"So, how does one begin the install process? First, you will want to |
36 |
decide which one of our LiveCD ISO images to grab from |
37 |
http://gentoo.oregonstate.edu/experimental/x86/livecd/" |
38 |
|
39 |
I went here, then to x86, then got the latest one, |
40 |
livecd-2004.0-x86-selinux-nostages-20040227.iso |
41 |
|
42 |
I don't see any other option there that looks likely to get me an SELinux |
43 |
boot CD. Am I missing something? Seeing the fact that the filename |
44 |
mentions that there are no stages, I figure I need to get a stage file so |
45 |
I download stage1-x86-pie-ssp-2004.0.tar.bz2 from |
46 |
http://gentoo.oregonstate.edu/releases/x86/2004.0/stages/x86/hardened/ |
47 |
and use that. |
48 |
|
49 |
Up to this point, have I gone wrong somewhere? |
50 |
|
51 |
After this, I'm just following along in the docs that originally got me |
52 |
started with Hardened, specifically, |
53 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml |
54 |
|
55 |
When the docs tell me to use the stage on the cd, I ignore them (since |
56 |
there are no stages and the iso filename confirms this for me) and get my |
57 |
own as above. Have I gone wrong somewhere? |
58 |
|
59 |
And now, as I'm trying to bootstrap using the make.conf file settings that |
60 |
I originally asked about, I'm getting several failures with complaints |
61 |
about the LDFLAGS setting (-W,-z,...). Am I doing something wrong here |
62 |
mixing Hardened and SELinux? I see they're different, but how do I build |
63 |
a Gentoo system with the best security currently available (and stable). |
64 |
I would think that SELinux would be involved. Am I wrong? |
65 |
|
66 |
<snip> |
67 |
|
68 |
> Documentation.. Sigh yeah I suppose you all want this, I can't blame |
69 |
> you either. For now let me point you at the pax docs at |
70 |
> http://pax.grsecurity.net/docs/ (READ ALL OF THIS!) then when you get |
71 |
> done there go read http://www.trl.ibm.com/projects/security/ssp/ |
72 |
> We really want everybody to understand the concepts of why we opt to |
73 |
> build this way. |
74 |
> |
75 |
> I'll try and see if we can muster up a quick start or two in this |
76 |
> respect when it's time for us to roll those stages. |
77 |
|
78 |
Um... I'm trying to build a production server here. Should I stay away |
79 |
from this stuff? It sounds like kinks and problems and documentation are |
80 |
still being worked out. If I want a Gentoo server and I want it to be |
81 |
providing public services on the Internet (albeit through a firewall), |
82 |
what plan should I be using here (ie, what combination of boot CD image, |
83 |
stage1 tarball, and documentation URL should I be using?)? I've already |
84 |
uncovered a bug in the ebuild for the gs_sources kernel (involving the |
85 |
Device Mapper patch) which is supposedly for production servers. I'm |
86 |
starting to get the impression that Gentoo is just not ready (with or |
87 |
without Hardened or SELinux) for production servers, and almost certainly |
88 |
not with Hardened or SELinux. Could someone give me the skinny on this? |
89 |
Am I barking up the wrong tree trying to use Gentoo to build a production |
90 |
server? Though I'm no developer, I am a reasonably sophisticated Linux |
91 |
geek with about 9 years doing sysadmin on Linux boxen, and I'm having |
92 |
real problems here. Should I go back to SuSE? I really do like the |
93 |
concept of ebuilds and portage in Gentoo, and see these as being a huge |
94 |
improvement on the other distributions, but I need a stable production |
95 |
server. With that as a goal, should I stay away from Gentoo for the time |
96 |
being? Or maybe just stay away from Gentoo Hardened and/or SELinux for |
97 |
now? |
98 |
|
99 |
Thanks in advance for any suggestions. |
100 |
|
101 |
|
102 |
-- |
103 |
-Kevin |
104 |
|
105 |
-- |
106 |
gentoo-hardened@g.o mailing list |