On Sat, Dec 10, 2011 at 02:52:04PM -0600, Matthew Thode wrote: > As with most things gentoo, 'best' is a mater of opinion. I personally > use grsec (includes pax) for hardening and selinux for policies. To > convert you generally do the following. > > profile-config set 12 (this sets to nomultilib selinux) > emerge system > emerge world > > Since I'm paranoid revdep-rebuild too.
If you're considering SELinux, please follow the instructions at http://hardened.gentoo.org/selinux/selinux-handbook.xml?part=2&chap=1 There's a little more to it than emerge system/world: - Your /tmp might need a specific mount option (in /etc/fstab) - If you use LVM or XFS, you need to take specific measures if you want your system to bootup properly - You need to build a SELinux-aware kernel as well - You need to install SELinux utilities - You need to relabel the system etc. That said, my opinion on a server is the same as with Matthew: use hardened with the options given (grsec, selinux) and perhaps even TPE (trusted path execution). Also consider hardening your system settings-wise. I would appreciate if you take a look at http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html. With the instructions given, you can even have your system validated (as far as possible) automatically. Wkr, Sven Vermeulen
