1 |
Chris S wrote: |
2 |
> Mike Edenfield wrote: |
3 |
> |
4 |
>> I've never been able to get mono to build with the hardened kernel |
5 |
>> extensions active. The problem, as you might have already deduced, is |
6 |
>> that mono violates some of hardened's protection bits -- specifically, |
7 |
>> the mono runtime tries to execute data as code. Once mono's installed |
8 |
>> you can flag the binary to permit this. But during the build, a new |
9 |
>> mono binary is built then run against some IL code, and it fails. |
10 |
>> |
11 |
>> I have always had success in building mono by keeping a separate |
12 |
>> kernel around without and of the GRSEC stuff compiled it. It's a pain |
13 |
>> in the ass but works. I suspect the only real 'solution' would be to |
14 |
>> somehow hack up the ebuild to detect GRSEC and set the proper flags on |
15 |
>> the new binary mid-build. |
16 |
> |
17 |
> |
18 |
> Thank you for your reply. This makes sense. I guess the problem is that |
19 |
> I need to run .net as a service on an internet visible server. I do not |
20 |
> however want to remove hardened just for the sake of .net support! |
21 |
> Do you think it is possible to create an entirely seperate chroot |
22 |
> environment on said server, from which to run apache on a non-standard |
23 |
> port, which is non-hardened and has mono support? |
24 |
> |
25 |
|
26 |
You don't need to disable the GRSEC stuff to run mono -- |
27 |
only to build it. Once it's build and in place in the right |
28 |
spot, you can disable the memory protection bits just for |
29 |
the `mono` binary. You can either put GRSEC into learning |
30 |
mode and build a profile that way, or just manually toggle |
31 |
the bits yourself. If I recall, you need to turn off NOEXEC |
32 |
or PAGEEXEC, whichever you're using, as well as SEGMEXEC for |
33 |
the mono binary. |
34 |
|
35 |
-- |
36 |
-- Mike |
37 |
|
38 |
Still using IE? Get Firefox! |
39 |
http://www.spreadfirefox.com/?q=affiliates&id=6492&t=1 |
40 |
-- |
41 |
gentoo-hardened@g.o mailing list |