1 |
Greetings, |
2 |
|
3 |
I am looking to build a new Opteron server soon, and I want to look at |
4 |
securing it with SELinux (and 64bit only). |
5 |
|
6 |
Due to my own ignorance, I am a little confused as to the differences |
7 |
between the Hardened project and SELinux, PaX, GRSecurity etc. |
8 |
|
9 |
My feeling is that the hardened project is really a collection of |
10 |
like-minded security projects (ie selinux, grsecurity, pax). |
11 |
And that using the hardened USE flag, binaries that support it will |
12 |
build with hardened security features. |
13 |
|
14 |
As I am building this new 64bit opteron system from scratch, where |
15 |
should I start? What stage tarball should I be using? What livecd? |
16 |
|
17 |
Most importantly what profile do I use? |
18 |
profiles/hardened/amd64/ or profiles/selinux/2005.1/amd64/ ? |
19 |
|
20 |
Should I be using the selinux USE flag these days, or is that |
21 |
depreciated in favour of the selinux profile? Should I have both? |
22 |
|
23 |
My guess is that I should use the a PaX enabled kernel with SELinux, or |
24 |
perhaps GRSecurity, or even both. |
25 |
|
26 |
Any pointers to get me started would be most appreciated. |
27 |
|
28 |
Update: |
29 |
I have tried using stage3-x86-hardened-2005.0 with both hardened and |
30 |
selinux profiles. At various stages it complains about either multilib |
31 |
or some 32bit libraries that the system is expecting. I could not get it |
32 |
to work with selinux profile. |
33 |
|
34 |
However the last thing I have tried seems promising - it's the |
35 |
/usr/portage/profiles/hardened/amd64/ profile. |
36 |
It stops at a bug for libperl: |
37 |
|
38 |
oio.c:37: error: conflicting types for 'shmat' |
39 |
/usr/include/sys/../gentoo-multilib/default/sys/shm.h:58: error: |
40 |
previous declaration of 'shmat' was here |
41 |
doio.c:37: error: conflicting types for 'shmat' |
42 |
/usr/include/sys/../gentoo-multilib/default/sys/shm.h:58: error: |
43 |
previous declaration of 'shmat' was here |
44 |
make: *** [doio.o] Error 1 |
45 |
|
46 |
It is a known bug that prevents libperl from compiling on a non-multilib |
47 |
system and at present there is no fix :( |
48 |
|
49 |
There is no stage3 amd64 hardened/selinux tarball that I can find. Am I |
50 |
barking up the wrong tree? |
51 |
|
52 |
Cheers and thanks for your time, |
53 |
|
54 |
Chris |
55 |
|
56 |
-- |
57 |
gentoo-hardened@g.o mailing list |