1 |
2008/10/13 Matt Harrison <iwasinnamuknow@×××××××××.com>: |
2 |
> I'm still fiddling to get my firewall running smoothly on hardened/selinux |
3 |
> |
4 |
> I'm re-emerging various things but I'm seeing this: |
5 |
> |
6 |
> PIE hardening not applied, as your compiler doesn't default to PIE |
7 |
> |
8 |
|
9 |
You set the "hardened" USE flag, which is normally exported by the |
10 |
standard hardened profile and, indeed, the equivalent sub-profiles in |
11 |
the selinux namespace. This is appropriate when using - and building - |
12 |
the hardened toolchain. In the case of glibc, it installs several |
13 |
patches to aid in the generation of system-wide PIE binaries and |
14 |
facilitates SSP handling. However, you are not actually using a |
15 |
suitable instance of gcc with the correct specs activated, presumably |
16 |
because you didn't begin with a hardened stage tarball - and toolchain |
17 |
- in the first instance (in turn, perhaps owing to the somewhat |
18 |
irregular nature of the SELinux installation process in Gentoo). The |
19 |
only supported compiler for this particular intent is gcc-3.4.6-r2 and |
20 |
you may peruse and switch between the available specs using the |
21 |
gcc-config tool. For further details, please refer to the following |
22 |
pages: |
23 |
|
24 |
http://www.gentoo.org/proj/en/hardened/primer.xml |
25 |
http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml |
26 |
|
27 |
Cheers, |
28 |
|
29 |
--Kerin |