Gentoo Archives: gentoo-hardened

From: "Anthony G. Basile" <basile@××××××××××××××.edu>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] XATTR_PAX migration
Date: Tue, 10 Sep 2013 13:58:48
Message-Id: 522F25A0.9060409@opensource.dyc.edu
In Reply to: Re: [gentoo-hardened] XATTR_PAX migration by Sven Vermeulen
1 On 09/10/2013 09:08 AM, Sven Vermeulen wrote:
2 > On Sep 10, 2013 3:03 PM, "Michael Orlitzky" <michael@××××××××.com> wrote:
3 >>
4 >> On 09/10/2013 07:44 AM, Anthony G. Basile wrote:
5 >>> On 09/09/2013 07:45 PM, Michael Orlitzky wrote:
6 >>>> On 09/09/2013 05:26 PM, Anthony G. Basile wrote:
7 >>>>>
8 >>>>> You can use XT_PAX provided you're not running something like a
9 >>>>> tinderbox, ie doing massive amounts of ebuilds. The problem is that
10 >>>>> install is being wrapped by install.py. As a result every instance of
11 >>>>> install mean invoking the python interpreter. With lots and lots of
12 >>>>> installs, this adds up to being very slow.
13 >>>>>
14 >>>>
15 >>>> Ok, thanks. These are all servers and installing anything is out of the
16 >>>> ordinary. Should I add a note about PAX_MARKINGS to the wiki, or is
17 >>>> there a plan to make that unnecessary (again)?
18 >>>>
19 >>>
20 >>> Feel free to add any documentation you guys think is lacking.
21 >>>
22 >>
23 >> Whoops, I don't have rights to edit the page. I wrote the blurb, though:
24 >>
25 >> 5. Update make.conf.
26 >>
27 >> To prevent warnings for non-hardened users, portage defaults to PT_PAX
28 >> markings when installing packages. If the migration was successful and
29 >> your kernel is respecting the new XATTR_PAX markings, you can tell
30 >> portage to use them in the future. Simply set,
31 >>
32 >> {{File|/etc/portage/make.conf||<pre>
33 >> PAX_MARKINGS="XT"
34 >> </pre>}}
35 >>
36 >> in your make.conf.
37 >>
38 >>
39 >
40 > Yes, everything under Project: namespace is only writable for developers.
41 >
42 > If the project developers don't mind end user changes the documents can be
43 > moved to the general location (like we did with many SELinux related
44 > documents).
45 >
46 > You can always put edits in your personal space and have a developer review
47 > and integrate if needed, but my preference is to move those documents to
48 > the main namespace.
49 >
50 > Wkr,
51 > Sven
52 >
53
54 Sven go ahead and make them like the SELinux docs. Is there any way to
55 monitor the changes, eg by having emails sent the way the torproject
56 wiki does?
57
58 --
59 Anthony G. Basile, Ph. D.
60 Chair of Information Technology
61 D'Youville College
62 Buffalo, NY 14201
63 (716) 829-8197

Replies

Subject Author
Re: [gentoo-hardened] XATTR_PAX migration Sven Vermeulen <sven.vermeulen@××××××.be>