| 1 |
Matt Harrison wrote: |
| 2 |
> Kerin Millar wrote: |
| 3 |
>> 2008/10/13 Matt Harrison <iwasinnamuknow@×××××××××.com>: |
| 4 |
>>> I'm still fiddling to get my firewall running smoothly on hardened/selinux |
| 5 |
>>> |
| 6 |
>>> I'm re-emerging various things but I'm seeing this: |
| 7 |
>>> |
| 8 |
>>> PIE hardening not applied, as your compiler doesn't default to PIE |
| 9 |
>>> |
| 10 |
>> You set the "hardened" USE flag, which is normally exported by the |
| 11 |
>> standard hardened profile and, indeed, the equivalent sub-profiles in |
| 12 |
>> the selinux namespace. This is appropriate when using - and building - |
| 13 |
>> the hardened toolchain. In the case of glibc, it installs several |
| 14 |
>> patches to aid in the generation of system-wide PIE binaries and |
| 15 |
>> facilitates SSP handling. However, you are not actually using a |
| 16 |
>> suitable instance of gcc with the correct specs activated, presumably |
| 17 |
>> because you didn't begin with a hardened stage tarball - and toolchain |
| 18 |
> |
| 19 |
> Well I installed from the stage3-hardened 2008 tarball...then I |
| 20 |
> recompiled most of it for selinux, all the time my profile was set to |
| 21 |
> selinux-hardened. |
| 22 |
> |
| 23 |
>> - in the first instance (in turn, perhaps owing to the somewhat |
| 24 |
>> irregular nature of the SELinux installation process in Gentoo). The |
| 25 |
>> only supported compiler for this particular intent is gcc-3.4.6-r2 and |
| 26 |
>> you may peruse and switch between the available specs using the |
| 27 |
>> gcc-config tool. |
| 28 |
> |
| 29 |
> Maybe it's defaulting to using 4.x and that isn't hardened. |
| 30 |
|
| 31 |
That's exactly what was happening, I've set my profile to 3.4.6-r2 and |
| 32 |
I'm not getting those messages any more. I'm going to emerge -e world |
| 33 |
tonight and see if that helps out some of the other problems I'm having. |
| 34 |
|
| 35 |
Thanks Kerin |
| 36 |
|
| 37 |
Matt |
Archives