1 |
Kerin Millar wrote: |
2 |
> 2008/10/13 Matt Harrison <iwasinnamuknow@×××××××××.com>: |
3 |
>> I'm still fiddling to get my firewall running smoothly on hardened/selinux |
4 |
>> |
5 |
>> I'm re-emerging various things but I'm seeing this: |
6 |
>> |
7 |
>> PIE hardening not applied, as your compiler doesn't default to PIE |
8 |
>> |
9 |
> |
10 |
> You set the "hardened" USE flag, which is normally exported by the |
11 |
> standard hardened profile and, indeed, the equivalent sub-profiles in |
12 |
> the selinux namespace. This is appropriate when using - and building - |
13 |
> the hardened toolchain. In the case of glibc, it installs several |
14 |
> patches to aid in the generation of system-wide PIE binaries and |
15 |
> facilitates SSP handling. However, you are not actually using a |
16 |
> suitable instance of gcc with the correct specs activated, presumably |
17 |
> because you didn't begin with a hardened stage tarball - and toolchain |
18 |
|
19 |
Well I installed from the stage3-hardened 2008 tarball...then I |
20 |
recompiled most of it for selinux, all the time my profile was set to |
21 |
selinux-hardened. |
22 |
|
23 |
> - in the first instance (in turn, perhaps owing to the somewhat |
24 |
> irregular nature of the SELinux installation process in Gentoo). The |
25 |
> only supported compiler for this particular intent is gcc-3.4.6-r2 and |
26 |
> you may peruse and switch between the available specs using the |
27 |
> gcc-config tool. |
28 |
|
29 |
Maybe it's defaulting to using 4.x and that isn't hardened. |
30 |
|
31 |
For further details, please refer to the following |
32 |
> pages: |
33 |
> |
34 |
> http://www.gentoo.org/proj/en/hardened/primer.xml |
35 |
> http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml |
36 |
> |
37 |
> Cheers, |
38 |
> |
39 |
> --Kerin |
40 |
> |
41 |
|
42 |
Thanks I will look at them. I'm still having plenty of problems with |
43 |
running network services under selinux enforced mode, but I'm trying to |
44 |
sort the problems from the ground up at the moment :) |
45 |
|
46 |
Matt |