At first thanks to Brendlefly62 for his docs.
https://wiki.gentoo.org/wiki/User:Brendlefly62/Radxa_ROCK_Pi_4C_Plus/Build-Install-Kernel
https://wiki.gentoo.org/wiki/User:Brendlefly62/Radxa_ROCK_Pi_4C_Plus/Build-Install-U-Boot
Installing one gentoo hardened with one RSBAC patched kernel in a
On Fri, 2022-08-05 at 16:56 +0800, Turritopsis Dohrnii Teo En Ming
wrote:
>
> Good day from Singapore,
>
> Where can I download security hardened version of Gentoo?
>
There is no specific hardened version to download. When installing
Gentoo, you normally download and extract a generic system im
Subject: Where can I download security hardened version of Gentoo?
Good day from Singapore,
Where can I download security hardened version of Gentoo?
Thank you.
Regards,
Mr. Turritopsis Dohrnii Teo En Ming
Targeted Individual in Singapore
5 Aug 2022 Friday
Blogs:
https://tdtemcerts.blogspot.co
Icedtea has effective treatment to compile on pax/grsec systems, but is
getting outdated.
Openjdk is moving ahead and despite current ebuilds label the compiled
binaries well for a pax/grsec systems, I still need to manually label
executables 4 times to make the packages compile.
Based on the sugge
Hi there,
I'm not sure this is the right mailing list given the archive doesn't show much
activity, but based on the project docs it's suggested to email this mailing
list first.
I've got a generally functional
`default/linux/amd64/17.1/no-multilib/hardened/selinux` system working, but
there
test
Hi folks,
I have a couple of AMDs AM1 similar Kabinis (well 3).
I decided to shitch on all of them from hardened to hardeened/selinux
profile ( with systemd already onboard).
After the conversion, I managed to persuade two of them to boot and work
normally within strict-enforcing mode.
Th
Hi all,
I have a couple of cheap small machines ( AMD Kabinis on AM1 baords -
cheap and old, but still interesting stuff) that I tred to convert from
hardened profile to hardened/selinux.
On two out of three, it works.
On a third one, I always get to boot into selunx disabled state ( as
rep
On including RAP: it would be great, but RAP is a commercial product : while
it’s probably possible to enable its use in Gentoo for people who are customers
of Open Source Security’s (assuming one of the customers for RAP is also a
member of the gentoo-hardened project or can become one, so
-8057
Attila Toth MD, Radiologist, +36-20-825-8057
2019.Február 24.(V) 19:18 időpontban Javier Juan Martinez Cabezon ezt írta:
>
> It's would be feasible to include Grsec RAP gcc plugin in gentoo hardened?
>
> I think it would be a better alternative than fcf-protection does
It's would be feasible to include Grsec RAP gcc plugin in gentoo hardened?
I think it would be a better alternative than fcf-protection does
On 24/02/19 16:16, "Tóth Attila" wrote:
> Dear Guillaume,
>
> I'm not a Gentoo Dev either.
>
> If there's
Dear Guillaume,
I'm not a Gentoo Dev either.
If there's a place to promote useful gcc flags from their security aspect,
Gentoo Hardened is a good place to become a leader of such efforts - like
it happened in the past.
1. Regarding fcf-protection:
"Currently the x86 GNU/Linux tar
Hello gentoo-hardened,
I just looked into the release notes for the recently-released GCC 8.3.0
present in ~arch, and two items grabbed my attention:
1. The addition of a -fcf-protection=[full|branch|return|none] flag to help
with control flow integrity
2. The addition of -fstack-clash
On Mon, 14 Jan 2019, at 22:38, gentoo-hardened+h...@lists.gentoo.org wrote:
>
>
> Somebody (and we hope it was you) has requested that the email address
> be removed from the list.
>
> To confirm you want to do this, please send a message to
>
> which can usually be
https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
"Fixes for the issue are in the upstream stable releases 4.18.9,
4.14.71, 4.9.128, 4.4.157 and 3.16.58."
Is there any plan to unmask 4.14.71?
В Чт, 27/09/2018 в 15:45 +0200, Hanno Böck пишет:
> On Fri, 21 Sep 2018 00:16:48 +0100
> Luis Ressel wrote:
>
> > On Wed, 19 Sep 2018 09:24:27 +0200
> > Hanno Böck wrote:
> >
> > > If the flag just disables assembly optimizations then I wonder if
> > > it
> > > should be renamed (or if we need
On Fri, 21 Sep 2018 00:16:48 +0100
Luis Ressel wrote:
> On Wed, 19 Sep 2018 09:24:27 +0200
> Hanno Böck wrote:
>
> > If the flag just disables assembly optimizations then I wonder if it
> > should be renamed (or if we need it at all - in case these assembly
> > optimizations have no downsides).
On Wed, 19 Sep 2018 09:24:27 +0200
Hanno Böck wrote:
> If the flag just disables assembly optimizations then I wonder if it
> should be renamed (or if we need it at all - in case these assembly
> optimizations have no downsides).
Many (all?) of the ebuilds with this flag do indeed only disable
a
Hi,
One of the differences between gentoo standard and hardened profiles is
the pic use flag.
I wonder what it does and if it has any meaning these days. From what I
understand in any modern-day Linux system position independent code
(pic) is always used, as we have ASLR and pie executables (in G
On Sun, Sep 2, 2018 at 2:25 PM, Guillaume Ceccarelli
wrote:
> As far as I know, official grsecurity is the only game in town now. I can’t
> comment on their pricing for personal use. You might want to get in touch and
> ask them if you haven’t done so recently.
They currently do not offer a pro
Hi,
the last publicly available version of PaX / grsecurity will probably
never be ported to work with the Meldown / Spectre fixes.
The only option is to use minipli's last release (4.9.74) and port all
non-spectre related fixes from upstream's 4.9 branch [1] to it. However
you should only r
In minipli's github brunch, in issues someone ported changes up to 4.9.105.
However without spectre and meltdown fixes. You should write to grsecurity
team about personal license. If they will receive many letters, maybe they
make such license available.
вс, 2 сент. 2018 г., 11:43 Alex Efros :
>
Hey Alex,
As far as I know, official grsecurity is the only game in town now. I can’t
comment on their pricing for personal use. You might want to get in touch and
ask them if you haven’t done so recently.
– Guillaume Ceccarelli
> On 2 Sep 2018, at 10:42, Alex Efros wrote:
>
> Hi!
>
>> On
Hi!
On Sat, Apr 14, 2018 at 12:33:55AM +, Ren Nyo wrote:
> I contacted minipli, and he said that unofficial grsecurity kernel is
> frozen. So we should not wait for him to port KPTI and Meltdown.
Looks like there is no progress so far. :(
Is there any other options how to get kernel newer th
Hey Ren,
That’s too bad about minipli, but that’s understandable, especially considering
the amount of work.
I can’t comment on the level of support, but Gentoo has always been about
providing users with choices, so I don’t think your patches should be rejected.
There’s still a pax_kernel use
I contacted minipli, and he said that unofficial grsecurity kernel is
frozen. So we should not wait for him to port KPTI and Meltdown.
Is hardened toolchain still supported by community?
I successfully compiled with gcc 7.3.0 v17.0 profile with virtualbox 5.2.8
and nvidia-drivers 390.42, but had to
On 30/03/18 17:55, R0b0t1 wrote:
Is there any way for you to try again while presenting yourself as a
business? In some jurisdictions saying you are a business is all it
takes to start a sole proprietorship. Otherwise, just pretend you are
affiliated with a (legally fictional) business.
Its mor
On Fri, Mar 30, 2018 at 10:37 AM, Robert Sharp
wrote:
> I requested a quote from GRsecurity and they told me that although they are
> looking at providing a package for personal customers they don't have one at
> the moment. They recommended minipli as the next best thing...
>
Is there any way fo
I see… I’m sorry to hear that.
The grsecurity-sources overlay seems to be tracking minipli’s unofficial port.
So that’s what you already got as a recommendation, with the convenience of
ebuilds to match.
It looks like the latest release from minipli’s is based off of Linux 4.9.74
(early Januar
I requested a quote from GRsecurity and they told me that although they
are looking at providing a package for personal customers they don't
have one at the moment. They recommended minipli as the next best thing...
What about the grsecurity-source overlay?
On 29/03/18 11:47, Guillaume Ceccare
Hi all,
I’ve been a grsecurity customer for a little over two years now, and my use of
it is as a small business, on Gentoo server installations. While I can’t
disclose the amount of money I’m paying publicly because every deal is
customized, I would encourage you to get in touch using the cont
On Wed, Mar 28, 2018 at 12:40 PM, Alex Efros wrote:
> Hi!
>
> On Wed, Mar 28, 2018 at 06:06:00PM +0100, Robert Sharp wrote:
>> Does anyone know of a good, post GRSecurity guide to reasonable security
>> for the kernel? In the absence of anything else I will have to go back
>> to the KSPP list and
Hi!
On Wed, Mar 28, 2018 at 06:06:00PM +0100, Robert Sharp wrote:
> Does anyone know of a good, post GRSecurity guide to reasonable security
> for the kernel? In the absence of anything else I will have to go back
> to the KSPP list and start removing stuff until I can get a stable kernel.
I'm
Hi,
I still have hardened-sources running on one PC and I keep trying to
compile a replacement gentoo-sources with as much hardening as I can,
but I haven't found anything to help me that actually works. There are
some guides on the Internet but most of the them are quite old (still
grsecurit
https://clearlinux.org/blogs/recent-gnu-c-library-improvements
Some optimization, but some have security aspect as well.
BR: Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
2018.Január 18.(Cs) 02:20 időpontban Magnus Granberg ezt írta:
> onsdag 17 januari 2018 kl. 13:27:25 CET skrev Tóth Attila:
>> I've just came accross a Fedora 28 memo about hardening their flags:
>> https://fedoraproject.org/wiki/Changes/HardeningFlags28
>> 1. -fstack-clash-protection
>> 2. -fcf-p
: -D_GLIBCXX_ASSERTIONS
>
> According to the builtin specs these are not in current use for
> sys-devel/gcc-7.2.
>
> It may worth to consider moving the same direction as Fedora. Wouldn't it
> be a shame if a regular non-rolling distro would make use of harder flags
> comp
l/gcc-7.2.
It may worth to consider moving the same direction as Fedora. Wouldn't it
be a shame if a regular non-rolling distro would make use of harder flags
compared to Gentoo Hardened?
BR: Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
On 15/12/17 14:49, Michael Orlitzky wrote:
On 12/15/2017 06:09 AM, Robert Sharp wrote:
MISSING="berkdb gdbm tcpd ptpax session dri urandom"
Is this a deliberate change or are they actually missing?
These are all intentional, but perhaps with an unintended side effect.
The default/linux profil
On 12/15/2017 06:09 AM, Robert Sharp wrote:
>
> MISSING="berkdb gdbm tcpd ptpax session dri urandom"
>
> Is this a deliberate change or are they actually missing?
>
These are all intentional, but perhaps with an unintended side effect.
The default/linux profile sets,
USE="berkdb crypt ipv6 n
I have moved PC's from 'hardened/linux/amd64' to
'default/linux/amd64/17.0/hardened' and 'hardened/linux/amd64/selinux'
to 'default/linux/amd64/17.0/hardened/selinux' and found it necessary to
add the following use flags to avoid countless re-emerges:
MISSING="berkdb gdbm tcpd ptpax session dr
Il 07/12/2017 13:59, ckard ha scritto:
As you can figure out from /profiles/profiles.desc
hardened sub profile for 17.0 is only available for amd64 architecture
but even that is signified as dev and not stable.
I had assumed it was ok since it hit the official tree and was a natural
upgrade,
As you can figure out from /profiles/profiles.desc hardened
sub profile for 17.0 is only available for amd64 architecture but even that
is signified as dev and not stable.
So, for now just stay with old stable hardened profiles.
On Thu, Dec 7, 2017 at 2:48 PM, wrote:
> I tried switching to the
I tried switching to the vanilla profile but it is indeed vanilla, the
hardened use flag was disabled. For the time being I'm staying with the
old profile, is the new one in the works?
I tried to create this myself and nothing terrible happened. First, I
created the new directory,
profiles/default/linux/amd64/17.0/hardened/no-multilib (1)
So, first question: is there a preference between the two choices there,
either "17.0/hardened/no-multilib" or "17.0/no-multilib/
On 12/02/2017 06:50 AM, Sven Vermeulen wrote:
> On the chat it was noticed that we don't have a hardened/selinux profile
> anymore. Is it OK if I add it, with a parent of
The no-multilib (sub)profile didn't make it over either...
Sounds good to me. I'm traveling so great if you can do it :-)
On Dec 2, 2017 17:20, "Sven Vermeulen" wrote:
> On the chat it was noticed that we don't have a hardened/selinux profile
> anymore. Is it OK if I add it, with a parent of
> ..
> ../../../../../features/selinux
>
> This is for (pr
On the chat it was noticed that we don't have a hardened/selinux profile
anymore. Is it OK if I add it, with a parent of
..
../../../../../features/selinux
This is for (profiles)/default/linux/amd64/17.0/hardened/selinux then.
Wkr,
Sven Vermeulen
Hi!
On Sat, Sep 09, 2017 at 11:23:46AM +0200, "Tóth Attila" wrote:
> I don't use docker myself, but if we are speaking about
> CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP, it would
> be important to know what GID is specified in CONFIG_GRKERNSEC_PROC_GID?
It's 3 (group "sys").
I don't use docker myself, but if we are speaking about
CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP, it would
be important to know what GID is specified in CONFIG_GRKERNSEC_PROC_GID?
That GID is an exception and can provide a way to let that group bypass
CONFIG_GRKERNSEC_PROC_USE
Hi!
It looks like when connecting to existing docker container with `docker
exec` CONFIG_GRKERNSEC_PROC_USERGROUP (and probably
CONFIG_GRKERNSEC_PROC_USER too) hide processes started by `docker run`
from processes started by `docker exec` (all processes are running as
docker "root", docker daemon
this thread which is
> about the news item.
>
Discussing the validity of the news item seems topical.
> Most packages just get masked and removed in 30 days for example without
> sending a news item just an e-mail to gentoo-dev-announce. The only
> reason why we are sending it is b
Am 23.08.2017 20:58 schrieb Luis Ressel:
Since all a kernel ebuild does is to dump the sources in /usr/src, it
doesn't make much of a difference anyway, but if someone wants to
create an ebuild in their overlay, they're of course welcome to do so.
It was included in the pentoo overlay two days
they made the decision to stop publishing code
altogether.
@Bob: The Gentoo Hardened project is aware of minipli's efforts, but it
has been decided not to make his tree available as an ebuild
in ::gentoo for now.
Since all a kernel ebuild does is to dump the sources in /usr/src, it
doesn't
n to the entire
> project, they are very stable for me. Thank you again and keep up the good
> work.
>
> On 2017-08-23 10:10, b...@cadamail.com wrote:
>
>> Hello Everyone,
>> I just heard that gentoo-hardened will be scrapped by end-of-month.
>> Well, I have some
unofficial-hardened-sources would make a nice addition to the entire
project, they are very stable for me. Thank you again and keep up the
good work.
On 2017-08-23 10:10, b...@cadamail.com wrote:
Hello Everyone,
I just heard that gentoo-hardened will be scrapped by end-of-month.
Well, I have some
Hello Everyone,
I just heard that gentoo-hardened will be scrapped by end-of-month.
Well, I have some good news - it doesn't have to be. A project has risen
up to continue supporting the patch on future kernels and I have been
running it successfully for over a month with the stock har
-announce. The only
reason why we are sending it is because most Gentoo Hardened users were
using the hardened-sources and deserve a heads-up as to what will happen
to them and what can they do after (as there will be no clear and simple
upgrade path with similar features).
Please do send further answers
Am 16.08.2017 16:46 schrieb Michael Orlitzky:
There is one thing you have to watch out for: certain vanilla kernel
hardened features were subjugated to grsecurity ones and you'll
probably
want to enable them. For example, you probably want CONFIG_VMAP_STACK
once you've switched, but it won't be
On 08/16/2017 10:37 AM, Francisco Blas Izquierdo Riera (klondike) wrote:
>>>
>> Would anyone like to outline a simple process to migrate from
>> hardened-sources + hardened tool-chain to gentoo-sources?
>>
> Unless you want to drop userspace hardening (which most likely you don't
> as it is still u
El 16/08/17 a las 15:36, Robert Sharp escribió:
> On 16/08/17 11:09, Francisco Blas Izquierdo Riera (klondike) wrote:
>> El 16/08/17 a las 09:40, Marek Szuba escribió:
>>> Two tiny bits of formal nitpicking from my side:
>>> - it's "grsecurity" (not a typo, they do use a lowercase g except when
>>
On 16/08/17 11:09, Francisco Blas Izquierdo Riera (klondike) wrote:
El 16/08/17 a las 09:40, Marek Szuba escribió:
Two tiny bits of formal nitpicking from my side:
- it's "grsecurity" (not a typo, they do use a lowercase g except when
the name appears at the beginning of a sentence), not "grse
Sadly, their developers have stopped making these patches freely
available [1]. This is a full stop of any public updates and not only
stable ones as was announced two years ago[2].
As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the har
Hi!
On Tue, Aug 15, 2017 at 10:39:30PM +0200, philipp.amm...@posteo.de wrote:
> You don't really need an ebuild. What I do is manually install
> sys-devel/bc and then:
...
> Whenever there is a new release simply run 'git pull'.
Ebuild is anyway useful - if it's not - then it let me control
Am 15.08.2017 21:13 schrieb Alex Efros:
[...]
[3] https://github.com/minipli/linux-unofficial_grsec
[4] https://github.com/copperhead/linux-hardened
Sounds cool, but is anyone is going to provide ebuilds for these
kernels?
Not official, but having these in some overlay is better than nothin
el/hardened-sources
Display-If-Profile: hardened/linux/*
As you may know the core of sys-kernel/hardened-sources have been the
patches published by Grsec.
Sadly, their developers have stopped making these patches freely
available [1]. This is a full stop of any public updates and not only
stable one
rted to the latest version of the Linux tree at [4].
>
> The Gentoo Hardened team can't make any statement regarding the
> security, reliability or update availability of either those patches
> as we aren't providing them and can't therefore make any
> recommendation rega
es as was announced two years ago[2].
As a result, the Gentoo Hardened team is unable to keep providing
further updates of the patches, and although the hardened-sources have
proved (when using a hardened toolchain) being resistant against
certain attacks like the stack guard page jump techniques
-Item-Format: 2.0
Display-If-Installed: sys-kernel/hardened-sources
As you may know the core of sys-kernel/hardened-sources have been the
patches published by Grsec.
Sadly, their developers have stopped making these freely available [1].
As a result, the Gentoo Hardened team is unable to keep
On Thu, Aug 10, 2017 at 09:16:53AM +0100, Robert Sharp wrote:
> Had emerge of setools failure this morning:
>
> 1 out of 1 hunk FAILED -- saving rejects to file setup.py.rej
> [ !! ]
> * ERROR: app-admin/setools-4.1.1::gentoo failed (prepare phase):
> * patch -p1 failed with
> /var/tmp/p
Had emerge of setools failure this morning:
1 out of 1 hunk FAILED -- saving rejects to file setup.py.rej
[ !! ]
* ERROR: app-admin/setools-4.1.1::gentoo failed (prepare phase):
* patch -p1 failed with
/var/tmp/portage/app-admin/setools-4.1.1/files/setools-4.1.0-remove-gui.patch
I can pr
Am 24.07.2017 18:46, schrieb Cor Legemaat:
On Fri, 2017-06-23 at 19:09 +0200, Javier Juan Martinez Cabezon wrote:
Have you thought in use other alternative apart grsec as kernel side
solution?, PaX is PaX, its a great loss, but rsbac and selinux has
their
w or x, almost all cpu today has NX bit
>>
>
> How do I play with RSBAC, there is nice wiki pages etc but al the
> ebuilds are removed from portage?
>
> Regards:
> Cor
>
You can download rsbac sources from their git
https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-4.9.y.git;a=summary
You will need rsbac-admin tools too
https://gi
On Fri, 2017-06-23 at 19:09 +0200, Javier Juan Martinez Cabezon wrote:
> Have you thought in use other alternative apart grsec as kernel side
> solution?, PaX is PaX, its a great loss, but rsbac and selinux has
> their
> w or x, almost all cpu today has NX bit and reduce the needings of
> PageExec/
On Tue, Jul 18, 2017 at 9:37 AM, R0b0t1 wrote:
> [...] there are this solution seems [...]
I even reread that a few times. My apologies.
On Tue, Jul 18, 2017 at 5:34 AM, Alex Efros wrote:
> Hi!
>
> On Fri, Jun 23, 2017 at 12:28:27PM -0400, Anthony G. Basile wrote:
>> My plan then is as follows. I'll wait one more month and then send out
>> a news item and later mask hardened-sources for removal.
>
> Well, it's about a month now. I
Hi!
On Fri, Jun 23, 2017 at 12:28:27PM -0400, Anthony G. Basile wrote:
> My plan then is as follows. I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal.
Well, it's about a month now. I didn't replied earlier because others
already mentioned all g
El 23/06/17 a las 18:28, Anthony G. Basile escribió:
> Hi everyone,
>
> Since late April, grsecurity upstream has stop making their patches
> available publicly. Without going into details, the reason for their
> decision revolves around disputes about how their patches were being
> (ab)used.
>
>
On Fri, 23 Jun 2017 12:28:27 -0400
"Anthony G. Basile" wrote:
> My plan then is as follows. I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal. I don't
> recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.
Thank
Have you thought in use other alternative apart grsec as kernel side
solution?, PaX is PaX, its a great loss, but rsbac and selinux has their
w or x, almost all cpu today has NX bit and reduce the needings of
PageExec/SegmExec, and I think that exists some gcc plugins with PaX
alike functions.
rs
On Fri, Jun 23, 2017 at 12:28:27PM -0400, Anthony G. Basile wrote:
> My plan then is as follows. I'll wait one more month and then send
> out a news item and later mask hardened-sources for removal. I don't
> recommend we remove any of the machinery from Gentoo that deals with
> PaX markings.
On Fri, 23 Jun 2017 12:28:27 -0400
> My plan then is as follows. I'll wait one more month and then send
> out a news item and later mask hardened-sources for removal. I don't
> recommend we remove any of the machinery from Gentoo that deals with
> PaX markings.
>
> I welcome feedback.
I won't
Hi everyone,
Since late April, grsecurity upstream has stop making their patches
available publicly. Without going into details, the reason for their
decision revolves around disputes about how their patches were being
(ab)used.
Since the grsecurity patch formed the main core of our hardened-sou
Hi,
I'm not claiming that I understand all the issues, but I wonder how
that all affects "normal" Gentoo.
Let me summarize my understanding:
* We currently enable -fstack-check=specific on hardened, but not on
normal Gentoo.
* -fstack-check provides protection against stack clashes, but it is
Executive summary
With Gentoo Hardened no ebuilds compiled with a hardened toolchain with
version 4.8 or higher should be affected by this issue as
-fstack-check=specific is enabled by default. The only known exceptions
are media-video/vlc and (on HPPA) dev-lang/tcl wich disable this feature
s "-fstack-check" option
> - I checked current and recent gcc versions.
>
> 6.3.0 seems to be fine:
> gcc version 6.3.0 (Gentoo Hardened 6.3.0 p1.0)
> gcc -dumpspecs | grep -B 1 stack-check
> *cc1:
> %{!mandroid|tno-android-cc:%(cc1_cpu) %{profile:-p};:%(cc1_cpu)
> %{p
3.0 seems to be fine:
gcc version 6.3.0 (Gentoo Hardened 6.3.0 p1.0)
gcc -dumpspecs | grep -B 1 stack-check
*cc1:
%{!mandroid|tno-android-cc:%(cc1_cpu) %{profile:-p};:%(cc1_cpu)
%{profile:-p} %{!mglibc:%{!muclibc:%{!mbionic: -mbionic}}}
%{!fno-pic:%{!fno-PIC:%{!fpic:%{!fPIC:
-fPIC}%{fstack-che
On 18/06/17 17:29, Sven Vermeulen wrote:
It's okay to use it. Manipulating the directory seems to be something I
would want to verify with the application itself first. If it is a Perl
script, then it might be easy to find out why.
Looking at the error messages and the script itself the problem
On Sat, Jun 17, 2017 at 06:20:40PM +0100, Robert Sharp wrote:
>I had assumed this was the file of that name in /etc/ssl/certs but your
>comment made me check the inode and I was wrong. It is actually a
>directory "/usr/share/ca-certificates" which also has the "cert_t"
>context. The
On 17/06/17 11:47, Sven Vermeulen wrote:
I generally try to make sure that it is the right domain before adding the
privilege. In the denial, the command that is being denied access is
"ca-certificates". Is that a script from ddclient, or does ddclient trigger
an (external) script and should we p
On Thu, Jun 15, 2017 at 11:58:49AM +0100, Robert Sharp wrote:
> I have been enforcing on my SELinux box for a while without incident,
> until yesterday. Ddclient started spamming me with emails about SSL
> connect failures. I checked the audit log for AVCs and found the one
> below. The context for
I have been enforcingon my SELinux box for a while without incident,
until yesterday. Ddclient started spamming me with emails about SSL
connect failures. I checked the audit log for AVCs and found the one
below. The context for /etc/ssl/certs/ca-certificates is cert_t and it
looks like the int
This has been sitting in our policy since 2012 (aaa0f803d), but it's
obviously a typo.
---
policy/modules/system/miscfiles.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/miscfiles.fc
b/policy/modules/system/miscfiles.fc
index 42ac30bda..b32e4e262 1006
On Fri, May 12, 2017 at 09:45:50AM -0400, Aaron W. Swenson wrote:
> On 2017-05-11 09:31, Max R.D. Parmer wrote:
> > Perhaps I missed it, but I've been so far unable to find a position/plan
> > for the future of hardened-sources from the Gentoo Hardened project
> > membe
On Fri, May 12, 2017, at 16:38, Alex Efros wrote:
> Hi!
>
> On Fri, May 12, 2017 at 09:10:43PM +0200, "Tóth Attila" wrote:
> > Please take a look at on the reply of PaxTeam postend on the openwall
> > mailing list:
> > http://openwall.com/lists/kernel-hardening/2017/05/11/2
>
> What's for? It's p
Hi!
On Fri, May 12, 2017 at 09:10:43PM +0200, "Tóth Attila" wrote:
> Please take a look at on the reply of PaxTeam postend on the openwall
> mailing list:
> http://openwall.com/lists/kernel-hardening/2017/05/11/2
What's for? It's pointless. Only very few people are really interested
(i.e. not jus
2017.Május 8.(H) 23:12 időpontban Andrew Savchenko ezt írta:
> Most likely KSPP project will come up, they are doing a good job:
> bringing security features upstream fixing bugs in PaX code during
> the process [1]. This is what PaX should have done long time ago,
> they were even offered CII gran
On 2017-05-11 09:31, Max R.D. Parmer wrote:
> Howdy,
>
> Perhaps I missed it, but I've been so far unable to find a position/plan
> for the future of hardened-sources from the Gentoo Hardened project
> members. I've searched the site and mailing list archives. Has any s
Howdy,
Perhaps I missed it, but I've been so far unable to find a position/plan
for the future of hardened-sources from the Gentoo Hardened project
members. I've searched the site and mailing list archives. Has any such
statement been made?
I see there are some efforts to create a
On 170509-01:31+0200, Miroslav Rovis wrote:
> On 170508-22:49+0200, Miroslav Rovis wrote:
> > ...
> > I'll be back with an ebuild to discuss.
> > ...
> > On 170508-22:07+0200, Mathias Krause wrote:
> > > On 8 May 2017 at 20:08, Miroslav Rovis
> > > wrote:
> ...
> > > > Unofficial forward ports of
1 - 100 of 5125 matches
Mail list logo
