| 1 |
On Thursday 29 April 2004 19:03, Ned Ludd wrote: |
| 2 |
> On Thu, 2004-04-29 at 18:24, Ed Wildgoose wrote: |
| 3 |
> > >after untarring the stage1 tarball |
| 4 |
> > >(stage1-pentium4-pie-ssp-2004.0.tar.bz2), there is no |
| 5 |
> > >directory /mnt/gentoo/selinux to use as a mountpoint for an |
| 6 |
> > > selinuxfs (as |
| 7 |
> > |
| 8 |
> > I guess that is because you used the hardened stage 1, not the |
| 9 |
> > selinux stage 1 ! I think hardened doesn't need selinux? As in they |
| 10 |
> > are not equivalent (part of the same team though) |
| 11 |
|
| 12 |
Uh... sorry, but I'm confused here. |
| 13 |
|
| 14 |
I was in the middle of reading |
| 15 |
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?full=1 under "Is |
| 16 |
GRP Available?" and it mentions the Gentoo Hardened project: |
| 17 |
|
| 18 |
"The _Gentoo Hardened_ project offers their own GRP set (and stages) |
| 19 |
focused on building a proactively secure system. Anyone looking to build |
| 20 |
a server on the x86 architecture should investigate this option." |
| 21 |
|
| 22 |
That last sentence describes me, so I go there... |
| 23 |
|
| 24 |
So I follow the _Gentoo Hardened_ link which points to |
| 25 |
http://hardened.gentoo.org from which I get redirected to |
| 26 |
http://www.gentoo.org/proj/en/hardened/ |
| 27 |
|
| 28 |
Here I see a link: _SELinux x86 Install Guide_ which I followed. |
| 29 |
|
| 30 |
And now I'm at that URL that I originally listed as my source of docs for |
| 31 |
doing this install. |
| 32 |
|
| 33 |
I started with the liveCD mentioned in that URL: |
| 34 |
|
| 35 |
"So, how does one begin the install process? First, you will want to |
| 36 |
decide which one of our LiveCD ISO images to grab from |
| 37 |
http://gentoo.oregonstate.edu/experimental/x86/livecd/" |
| 38 |
|
| 39 |
I went here, then to x86, then got the latest one, |
| 40 |
livecd-2004.0-x86-selinux-nostages-20040227.iso |
| 41 |
|
| 42 |
I don't see any other option there that looks likely to get me an SELinux |
| 43 |
boot CD. Am I missing something? Seeing the fact that the filename |
| 44 |
mentions that there are no stages, I figure I need to get a stage file so |
| 45 |
I download stage1-x86-pie-ssp-2004.0.tar.bz2 from |
| 46 |
http://gentoo.oregonstate.edu/releases/x86/2004.0/stages/x86/hardened/ |
| 47 |
and use that. |
| 48 |
|
| 49 |
Up to this point, have I gone wrong somewhere? |
| 50 |
|
| 51 |
After this, I'm just following along in the docs that originally got me |
| 52 |
started with Hardened, specifically, |
| 53 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml |
| 54 |
|
| 55 |
When the docs tell me to use the stage on the cd, I ignore them (since |
| 56 |
there are no stages and the iso filename confirms this for me) and get my |
| 57 |
own as above. Have I gone wrong somewhere? |
| 58 |
|
| 59 |
And now, as I'm trying to bootstrap using the make.conf file settings that |
| 60 |
I originally asked about, I'm getting several failures with complaints |
| 61 |
about the LDFLAGS setting (-W,-z,...). Am I doing something wrong here |
| 62 |
mixing Hardened and SELinux? I see they're different, but how do I build |
| 63 |
a Gentoo system with the best security currently available (and stable). |
| 64 |
I would think that SELinux would be involved. Am I wrong? |
| 65 |
|
| 66 |
<snip> |
| 67 |
|
| 68 |
> Documentation.. Sigh yeah I suppose you all want this, I can't blame |
| 69 |
> you either. For now let me point you at the pax docs at |
| 70 |
> http://pax.grsecurity.net/docs/ (READ ALL OF THIS!) then when you get |
| 71 |
> done there go read http://www.trl.ibm.com/projects/security/ssp/ |
| 72 |
> We really want everybody to understand the concepts of why we opt to |
| 73 |
> build this way. |
| 74 |
> |
| 75 |
> I'll try and see if we can muster up a quick start or two in this |
| 76 |
> respect when it's time for us to roll those stages. |
| 77 |
|
| 78 |
Um... I'm trying to build a production server here. Should I stay away |
| 79 |
from this stuff? It sounds like kinks and problems and documentation are |
| 80 |
still being worked out. If I want a Gentoo server and I want it to be |
| 81 |
providing public services on the Internet (albeit through a firewall), |
| 82 |
what plan should I be using here (ie, what combination of boot CD image, |
| 83 |
stage1 tarball, and documentation URL should I be using?)? I've already |
| 84 |
uncovered a bug in the ebuild for the gs_sources kernel (involving the |
| 85 |
Device Mapper patch) which is supposedly for production servers. I'm |
| 86 |
starting to get the impression that Gentoo is just not ready (with or |
| 87 |
without Hardened or SELinux) for production servers, and almost certainly |
| 88 |
not with Hardened or SELinux. Could someone give me the skinny on this? |
| 89 |
Am I barking up the wrong tree trying to use Gentoo to build a production |
| 90 |
server? Though I'm no developer, I am a reasonably sophisticated Linux |
| 91 |
geek with about 9 years doing sysadmin on Linux boxen, and I'm having |
| 92 |
real problems here. Should I go back to SuSE? I really do like the |
| 93 |
concept of ebuilds and portage in Gentoo, and see these as being a huge |
| 94 |
improvement on the other distributions, but I need a stable production |
| 95 |
server. With that as a goal, should I stay away from Gentoo for the time |
| 96 |
being? Or maybe just stay away from Gentoo Hardened and/or SELinux for |
| 97 |
now? |
| 98 |
|
| 99 |
Thanks in advance for any suggestions. |
| 100 |
|
| 101 |
|
| 102 |
-- |
| 103 |
-Kevin |
| 104 |
|
| 105 |
-- |
| 106 |
gentoo-hardened@g.o mailing list |
Archives