t into the tree soon ---
we have a clear plan on how to proceed. Work on the kernel is furthest
out of sync. I'm not certain how this will go, but I'm confident we'll
work it out.
--
Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14
http://opensource.dyc.edu/tinhat
Downloads: http://opensource.dyc.edu/tinhat-downloads
- --
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozi
27;s just using
ROOT=/new/and/shiny/rootfs emerge -e world
to get around this, but it would be good to have that for the users.
- --
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
-BEGIN PGP SIGNATURE-
Version
loads: http://opensource.dyc.edu/tinhat-downloads
- --
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.
er, there may still be ways of making the exploit work even
without symbol info.)
3) On hardened systems, if you enable CONFIG_PAX_MEMORY_UDEREF=y, the
exploits fail even with access to symbol info. If possible, I would
also recommend enabling CONFIG_PAX_KERNEXEC=y.
- --
Anthony G. Basile, Ph.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/16/2010 06:47 PM, 7v5w7go9ub0o wrote:
> On 09/16/10 17:15, Anthony G. Basile wrote:
> []
>
>>
>>
>> As a result, certain configurations of hardened-sources are also
>> vulnerable. As a work around until I get
r that, but in the mean time, amd64 users that
wish to continue using hardened-sources-2.6.32-r9 may due so securely
provided you follow the workaround discussed in ref [2].
Refs:
[1] https://bugs.gentoo.org/329499
[2] http://bugs.gentoo.org/show_bug.cgi?id=326885
- --
Anthony G. Basile, Ph.D.
Gen
. However, I am also suspicious of UDEREF.
If anyone can test all four possibilities for me, KERNEXEC=y/n and
UDEREF=y/n, for a *paravirt* guest and tell me how it goes, I would
appreciate it.
- --
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/11/2010 01:20 PM, Tom Hendrikx wrote:
> On 06/10/10 01:43, Anthony G. Basile wrote:
>> On 10/05/2010 10:25 AM, Mike Edenfield wrote:
>>> and then build and install a PaX kernel.
>>
>> Be careful when installing
ned-sources-2.6.28-r9. These will
be kept for continuity.
Ref:
[1] http://www.vsecurity.com/resources/advisory/20101019-1/
[2] http://bugs.gentoo.org/show_bug.cgi?id=341801
[3] http://bugs.gentoo.org/show_bug.cgi?id=341915
[4] http://bugs.gentoo.org/show_bug.cgi?id=334341
- --
Anthony G. Bas
eport any bugs in h-s-2.6.32-r22 or h-s-2.6.35-r4 asap so we
can address them. Ideally stabilized kernels should be bug free.
Ref.
[1] http://bugs.gentoo.org/show_bug.cgi?id=337645
[2] http://bugs.gentoo.org/show_bug.cgi?id=338572
- --
Anthony G. Basile, Ph. D.
Chair of Information Technology
D&
line 3817: Called die
>>
>> Doing `paxctl -m /usr/bin/python2.6` works around this issue.
>>
> Yeah, python 2.6 uses a lot of ugly rwx mappings causing these kind of bug.
>
Upgrading to python-2.6.6-r1 should fix this. You'll also need to
upgrade portage to 2
.git
3. cd hardened-dev
4. git branch profiles origin/profiles
5. git checkout profiles
6. mount --bind profiles/ /usr/portage/profiles
7. Record your emerge -ep system and emerge -ep world, and compare to
before.
There should be no or only minor changes.
Thanks.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
On 11/06/2010 05:43 PM, Anthony G. Basile wrote:
>
>
> [8] hardened/linux/amd64/10.0 *
> [9] hardened/linux/amd64/10.0/no-multilib
>
> you will simply get
>
> [8] hardened/linux/amd64/10.0 *
> [9] hardened/linux/amd64/10.0/no-multilib
>
Sor
On 11/07/2010 01:47 PM, Claes Gyllenswärd wrote:
> 2010/11/6 Anthony G. Basile :
>>
>> Hi hardened users,
>>
>> You may have heard by now that hardened is thinking of changing its
>> profile structure. The current structure is crazy complex and there is
>>
On 11/08/2010 02:22 AM, Claes Gyllenswärd wrote:
> 2010/11/8 Anthony G. Basile :
>> On 11/07/2010 01:47 PM, Claes Gyllenswärd wrote:
>>> 2010/11/6 Anthony G. Basile :
>>>>
>>>> Hi hardened users,
>>>>
>>>> You may have heard by no
2duo, i3 and i7.
>
> -- prometheanfire
>
Thanks for that info, it should go into the documentation I'm writing on
hardened+virt. I only tested the amd guests and assumed it was the same
for intel.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
Hi everyone,
hardened/linux/ia64 has been updated. If you were using
hardened/linux/ia64/10.0
you should do "eselect profile set hardened/linux/ia64" to switch.
Please check if your "emerge -ep system" set and "emerge -ep world" sets
change before and af
e -ep system and emerge -ep world do not change. Please
report problems as soon as possible on the bug.
So far ia64 and ppc/ppc64 are done. I will wait a week to see if
there are any problems with these. If not, on Nov 20, I'll switch x86
over, and some time after that amd64.
--
Anthony G. Ba
round Nov 24, 2010.
As always, let me know if anything breaks.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
bunch of R's, not U's, not UD's not NS's etc.
See man emerge for more details.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
;ll only have to use
eselect profile if you *want* to change profiles, not because you have
to as part of some updating.
As usual, please report any breakage.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
bugs that can be avoided. I hope to mark
them stable in about one week.
Thanks.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
On 12/09/2010 02:03 AM, dev-ran...@mail.ru wrote:
>
> Upd: all the hardened stuff seems to be commented out in ebuild!
>
I just fixed it in the tree. Please resync in a few hours and test again.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
On 12/21/2010 05:59 AM, Tom Hendrikx wrote:
> On 09/12/10 12:15, Anthony G. Basile wrote:
>> On 12/09/2010 02:03 AM, dev-ran...@mail.ru wrote:
>>>
>>> Upd: all the hardened stuff seems to be commented out in ebuild!
>>>
>>
>> I just fixed it in
chain was kept steady with a minor bump in glibc to 2.11.2. The
kernel was updated to 2.6.32.27 plus grsecurity patches. About 120
packages were bumped to sync with Gentoo upstream.
Home page: http://opensource.dyc.edu/tinhat
Downloads: http://opensource.dyc.edu/tinhat-downloads
--
Anthony G. B
ev/cciss/c0d0p1 /boot ext2noauto,noatime 1 2
/dev/cciss/c0d0p3 / ext4noatime 0 1
/dev/cciss/c0d0p2 none swapsw 0 0
None of which showed a panic.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
tree marked ~arch:
hardened-sources-2.6.32-r32
hardened-sources-2.6.36-r7
They are based on the very latest grsec patches. Can users who hit the
panic test them?
--
Anthony G. Basile, Ph.D.
Gentoo Developer
_CROSS_COMPILE="". This crept in during some
update (I forget which) in which the meaning of the option changed. This
is causing kbuild to interpret the option as a prefix rather than "no I
don't have a cross compiler".
--
Anthony G. Basile, Ph.D.
Gentoo Developer
http://bugs.gentoo.org/show_bug.cgi?id=329499
To verify my suspicion, an strace would be helpful. If you don't mind,
open up a bug with your findings, give your emerge --info, the flags you
used with apache, and an strace of apache going bad. This will be a
start for us.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
32-r33
and/or
hardened-sources-2.6.36-r8
Both are based on the latest grsecurity-*-201101052002.patch
pipacs, was this the same as the python bug?
http://bugs.gentoo.org/show_bug.cgi?id=329499
--
Anthony G. Basile, Ph.D.
Gentoo Developer
ernel
compatible with VirtualBox and kvm, but there are some security settings
which will most likely *always* break virtualization and will need to be
turned off.
This is work in progress and testing is appreciated. The ebuilds are on
my overlay.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
. So, I'm going to add it back in about 1 week.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
hich package the binary belongs to.
>
> Can somebody update me on the nature of the problem? Is it an intended
> movement to drop __guard? I know, that it's obsolete. I would suggest to
> communicate this in an enews or whatever for all hardened users. Or I may
> be the only one, who
On 02/11/2011 03:32 AM, Darknight wrote:
> 2011-02-10 21:03:01 Michael Orlitzky
>> On 02/09/11 22:09, Anthony G. Basile wrote:
>>> Hi everyone,
>>>
>>> Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its
>>> profiles. To be honest,
{PN}
scheme, but you make a good point about the mapping being many-to-many
in general.
If we agree to this standard, how to we grandfather in the packages that
are already in sec-policy? Renaming packages is a pita and we should
avoid it if we can.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
on so nothing is ultimately lost.
The question came up because of the latest news about ipv4 address space
being depleted, so we know ipv6 is coming. When ipv6 use becomes
significant, we'll revisit the issue.
(And please don't ask me what significant mean! I'm not even sure
f we can get to the
bottom of why his change didn't work. I don't want to start reverting
too soon because I'd like to understand what's going on first.
Sorry for the inconvenience to the community.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
On 01/25/2011 09:19 AM, Thomas Sachau wrote:
> Am 25.01.2011 13:26, schrieb Anthony G. Basile:
>> Hi hardened users,
>>
>> Currently, when configuring the hardened kernel, the user is presented
>> with some predefined Security Levels. (Security options -> Grsecuirt
regarding what happened and how
we fixed it.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
added this to the
> suggested Gentoo Hardened SELinux Policy document [1].
>
> Wkr,
> Sven Vermeulen
>
> [1] goo.gl/2U0Zr
I am in agreement, but I hesitate because moving packages is a pita. If
it can be done with minimal disruption, then lets move in that
direction. Do you know what current sec-policy/selinux-* are in violation?
--
Anthony G. Basile, Ph.D.
Gentoo Developer
hich is
not impossibly large for success by brute force while 64-bits is about
10^19. A lot harder.
And then, to complicate matters, 64-bit with 32-bit compat opens up yet
another family of exploits, like the one Dan Rosenberg found a few
months back which abused the way 32-bit syscalls were treated by 64-bit
kernels with 32-bit compat.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
arch for the policies. I'm not sure keeping/removing on the basis of
stable/unstable works.
I don't even know what the policy is for stabilization of sec-policy/*
--
Anthony G. Basile, Ph.D.
Gentoo Developer
On 02/27/2011 10:14 AM, Sven Vermeulen wrote:
> On Sun, Feb 27, 2011 at 10:05:28AM -0500, Anthony G. Basile wrote:
>> Since the selinux policies come as a set with the same date as a version
>> number, wouldn't it be better to, say, remove all the 20080525 first.
>> Fix
USE=pic should have exactly 0 effect on amd64 because the arch and the ELF ABI
> makes PIC zero cost basically. if some package manages to get around the rules
> somehow, it's a bug in that package, treat it accordingly ;).
>
This was Zorry's point. So if it has no effect, why keep it? I say
let's remove it.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
gt; in HVM mode
> i386 should be fine, amd64 should be dead slow.
In my experience, both are fine. I run hardened x86, hardened amd64 and
hardened amd64 nomultilib as domU. The host is OpenSuse 11.3. I have
both KERNEXEC and UDEREF on, no noticeable problems.
KVM is a different story, and I do see slowdown for amd64.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
On 03/02/2011 03:28 AM, pagee...@freemail.hu wrote:
> On 1 Mar 2011 at 18:28, Anthony G. Basile wrote:
>
>>> in HVM mode
>>> i386 should be fine, amd64 should be dead slow.
>>
>> In my experience, both are fine. I run hardened x86, hardened amd64 and
>&g
ioncube.
>
> like they said, this doesnt seem to be a bug in the kernel, so the pax
> source arent going to be changing
>
> if there's a bug in glibc, an actual bug in bugs.g.o needs to be
> opened with real details/patches. otherwise, nothing is going to
> change.
> -mike
Nothing to say that Mike hasn't already said. pipacs knows about this
but what can he do? Good luck with upstream glibc. Next time I speak
with pipacs I can bring it up, see if anything is changing. I doubt it.
Take a look at [1] for a good laugh.
Ref:
[1] http://sourceware.org/bugzilla/show_bug.cgi?id=12492
--
Anthony G. Basile, Ph.D.
Gentoo Developer
use a separate document. Meh.
>
> Committed to hardened-dev.git.
>
> HTML Preview: http://goo.gl/uaaf4
>
> Wkr,
> Sven Vermeulen
>
You mean hardened-doc.git
--
Anthony G. Basile, Ph.D.
Gentoo Developer
On 03/09/2011 04:03 AM, pagee...@freemail.hu wrote:
> On 8 Mar 2011 at 15:55, Mike Frysinger wrote:
>
>> On Tue, Mar 8, 2011 at 3:49 PM, Anthony G. Basile wrote:
>>> Nothing to say that Mike hasn't already said. pipacs knows about this
>>> but what can he
On 03/09/2011 04:03 AM, pagee...@freemail.hu wrote:
> On 8 Mar 2011 at 15:55, Mike Frysinger wrote:
>
>> On Tue, Mar 8, 2011 at 3:49 PM, Anthony G. Basile wrote:
>>> Nothing to say that Mike hasn't already said. pipacs knows about this
>>> but what can he
assigning selinux bugs to
seli...@gentoo.org for easy lookup.)
I think these are blockers to stabilization. Any others you want to add
to the list?
#355675 - No brainer. I'll test the patch there this afternoon and put
it on the tree later if it works.
#346563 - sounds like a profile problem, but I&
-apps/portage python3
> - profile.bashrc
> SANDBOX_WRITE="${SANDBOXWRITE}:/selinux/"
> SANDBOX_WRITE="${SANDBOXWRITE}:/proc/self/"
> - use.force
> selinux
> - use.mask
> -hardened
> -selinux
> emul-linux-x86
>
On 03/18/2011 11:43 AM, Sven Vermeulen wrote:
> On Fri, Mar 18, 2011 at 07:41:37AM -0400, Anthony G. Basile wrote:
>> Hi Sven,
>>
>> Did you identify what the wierdness was. I'd like to eventually clean
>> up the profiles. Rather than
> [...]
>> I'
On 03/27/2011 03:42 PM, Sven Vermeulen wrote:
> On Fri, Mar 18, 2011 at 06:55:34PM -0400, Anthony G. Basile wrote:
>> You're not wrong, but this can be restructured to come better in line
>> with the rest of the hardened profiles. I have to do a careful analysis
>> of
rs too. I think Chainsaw has like 24 HP DL 385's. I've asked
him to test but he hasn't gotten back to me.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
On 03/29/2011 09:11 PM, Michael Orlitzky wrote:
> On 03/29/2011 06:49 PM, Anthony G. Basile wrote:
>> On 03/29/2011 11:59 AM, Michael Orlitzky wrote:
>>> On 03/29/11 07:17, Magnus Granberg wrote:
>>>> [22:55:55] HP smart array, the CCISS driver is borked on 2.6.37
BFS scheduler reduces latency on desktop
systems, especially under heavy load. So now you can run your desktop
fast and hard. (I'm sure there's a bad pun in there somewhere :)
Refs
[1] http://users.on.net/~ckolivas/kernel/
[2] http://grsecurity.net/
--
Anthony G. Basile, Ph.D.
Gentoo Developer
On 04/01/2011 04:16 PM, Michael Orlitzky wrote:
> On 03/30/11 07:56, Anthony G. Basile wrote:
>>
>> Yes, the cciss array will not be recognized and as a result you get a
>> panic when root can't be found. Not a very revealing bug. We should
>> also make sure that
nux. If you
see a bug that you think you can help with, feel free to post. Help can
be as simple as just confirming/denying the bug was hit because often
people submit bugs thinking its due to hardened kernel or toolchain when
its something else --- nothing wrong with that, but we have to sort it ou
s been updated yesterday as well, adding two more
>> FAQs. One is about rlpkg complaining about conflicting types, the
>> other one
>> is about portage complaining about libsandbox.so not being loaded.
>>
>> FAQ preview at http://goo.gl/uaaf4
>>
>> Wkr,
&g
> 'emerge --info'. Kindof like a DOM explorer, but for Gentoo profiles.
>
#!/usr/bin/env python
import portage
for p in portage.settings.profiles:
print p
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A
ux/amd64
/usr/portage/profiles/features/64bit-native
/usr/portage/profiles/hardened/linux/amd64/no-multilib
So why does this stack include features/multilib??? There you have
use.force:multilib
use.mask:-multilib
which you later have to fix up in features/64bit-native where you have
use.force:-mu
/usr/portage/profiles/arch/x86
/usr/portage/profiles/releases
/usr/portage/profiles/releases/10.0
/usr/portage/profiles/hardened/linux
/usr/portage/profiles/hardened/linux/x86
/usr/portage/profiles/features
/usr/portage/profiles/hardened/linux/x86/selinux
--
Anthony G. Basile, Ph.D.
Gentoo Linux Devel
t profile set 9
or if you're using a no-multilib, try 11
emerge -uvpDN world
See what breaks/un-breaks. Report to the bug.
4) Long term. If we're happy, we deprecate the old profiles. This
includes sending out a news item explaining scheduling/procedure for
switch over etc etc
ith
> the .37 config. I didn't see any difference between the configs that,
> to my humble knowledge, could cause this.
>
> //Fredric J
Thanks guys. Best to open a bug report regarding these issues. There
were some serious changes with -r1 and it will be a while befor
arked "dev" and not
"stable". Also these do NOT replace the current selinux profiles
selinux/v2refpolicy/*. In time, they be obsolete them, but for the time
being, the new feature profile is experimental.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bl
Dw.
Compiling it as a module is the way the devs recommend doing it. I've
been compiling it into my kernels, but then I'm stuck with what I get,
as you were. I want the round-robin, what's bothering me is the miimon
which I can't change from 0 which means no mii mon which is not go
nswer to the first question, I was getting my info from memory. I
remember mpagano quoting it in response to a problem someone else had
with compiling it in. I remember him saying that using the module was
the only way of setting the parameters. I might ask him about it later.
As for /sys
page: http://opensource.dyc.edu/tinhat
Downloads: http://opensource.dyc.edu/tinhat-downloads
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
g apache and nginx together may cause
tension between the needs of both packages. But seeing as I never used
nginx, my concern may be unfounded.
Also, we don't have policies exclusively for lighttpd. Do you know how
that fits in?
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened
modern isn't possible.
> Can anybody give kindly me a hint?
>
> If SELinux is disabled then it's working fine.
>
> acl.log was used to build *.pp semodules (audit2allow). But these KDE's
> applications still won't worked.
>
>
> Best regards
>
p-going -eq world
(again not any failures, shouldn't happen else we're not doing our job)
system vs world = system is just the bare minimum packages that any box
running that profile needs. world = system + what you've added. You
can skip step 3, but there might be a chance of mixing
unhardened/hardened stuff if you do, but I'm not 100% sure.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
On 06/29/2011 05:39 PM, Tom Hendrikx wrote:
> On 29/06/11 16:47, 7v5w7go9ub0o wrote:
>> On 06/29/11 07:19, Anthony G. Basile wrote:
>>
>> [snip]
>>
>>>
>>> The safest approach in either switching or recompiling everything
>>> is:
>>>
> rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
> csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
> but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
On 07/15/2011 04:52 AM, Markus Oehme wrote:
> Hi Anthony,
>
> At Thu, 14 Jul 2011 12:59:59 -0400,
> Anthony G. Basile wrote:
>>> One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
>>> 4.6.0 for quite some time on ~amd64 ere I switched t
On 07/15/2011 06:57 AM, Markus Oehme wrote:
> Hi Anthony,
>
> At Fri, 15 Jul 2011 06:22:24 -0400,
> Anthony G. Basile wrote:
>> On 07/15/2011 04:52 AM, Markus Oehme wrote:
>> Thanks for discovering this, I was not aware. However, when I try to
>> compile with -flto
71425 - Mark as VERIFIED
> #374991 - Mark as FIXED
> #375475 - Mark as CONFIRMED
> #375617 - Mark as IN_PROGRESS
> #373381 - Mark as CONFIRMED
>
> Thanks in advance.
>
> Wkr,
> Sven Vermeulen
I'll get them.
- --
Anthony G. Basile, Ph. D.
Chair of Inform
On 07/22/2011 02:07 PM, d hee wrote:
> No, Bug #283274 is about segmentation fault when encrypting a Luks partition :
Please look at the following links:
https://bugs.gentoo.org/show_bug.cgi?id=283274
https://bugs.gentoo.org/show_bug.cgi?id=283470
--
Anthony G. Basile, Ph. D.
Chair
s to cron's fifo_file but I'm not sure
> for logrotate_t file descriptor, anyway here are the rules for this:
> allow system_cronjob_t tmp_t:dir { create rmdir };
> allow syslogd_t crond_t:fifo_file read;
> allow syslogd_t logrotate_t:fd use;
>
>
> 9) Sendmail-rela
gt; [...]
> kutulu@platypus ~ $ id -Z
> system_u:system_r:xdm_t
> kutulu@platypus ~ $ ps axZ | grep kdm
> system_u:system_r:xdm_t 2920 ?Ss 0:00 /usr/bin/kdm
> kutulu@platypus ~ $ ps axZ | grep X
> system_u:system_r:xserver_t 2939 tty7 Ss+1:16 /u
On 07/31/2011 09:18 AM, Mike Edenfield wrote:
> On 7/31/2011 7:58 AM, Anthony G. Basile wrote:
>> You get the same effect even on targeted where your session should be
>> running as unconfined_u:unconfined_r:unconfined_t.
>
> Yes, that was a targeted system I showed the ps ou
3381, information on the cron SELinux
> policy module and updates on the portage SELinux policy module (additional
> supported SELinux booleans).
>
> Wkr,
> Sven Vermeulen
>
Yeah, I have so much competition. I'll do it tomorrow morning after I
sober up. Ping me if
Sven Vermeulen
Its lint and can be removed. It doesn't do any harm masking a package
that doesn't exist, but it does clutter the already hard to read profiles.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
s with the new profiles because of low
usage or because there just aren't any, so community feedback about
their use and usefulness would be appreciated.
Ref.
[1] https://bugs.gentoo.org/show_bug.cgi?id=365483
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville Colle
On 08/21/2011 04:03 PM, Matt Thode wrote:
>
> On Aug 21, 2011, at 7:03 AM, Mike Edenfield wrote:
>
>> On 8/21/2011 7:10 AM, Anthony G. Basile wrote:
>>> Hi everyone,
>>>
>>> Back in May, I added new feature/selinux profiles which we would like to
>
DEN and rebooting to see if grsec is
denying some udev trigger. But modharden should only prevent non-root
processes from autoloading. I can't test on mine because they are on
high availability clusters.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
On 09/03/2011 04:38 PM, "Tóth Attila" wrote:
> 2011.Szeptember 3.(Szo) 21:46 időpontban Anthony G. Basile ezt írta:
>> It does look like the same issue again. I don't think we really solved
>> it, but just found a workaround which you specify above.
>
> It&#
On 09/03/2011 04:38 PM, "Tóth Attila" wrote:
> 2011.Szeptember 3.(Szo) 21:46 időpontban Anthony G. Basile ezt írta:
>> It does look like the same issue again. I don't think we really solved
>> it, but just found a workaround which you specify above.
>
> It&#
t hit a compile time error, but I didn't test very hard. If
you're instrested in RSBAC, please test and we'll start to bug report
and send patches upstream to help them out.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP :
ection and would break if one were added.
Current the only known issue with paxctl-ng is that it doesn't properly
do file globbing. I have not yet seen it break a binary, but please
don't use this on a production system until we have more confidence in it.
Thanks.
--
Anthony G. Basil
?
>
> Thanks:
> Dw.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
elf
without a PT_PAX program header, and only XT_PAX markings and see if it
works. We'll then be able to cover binaries which cannot support PT_PAX
program headers with XT_PAX.
Please read the man pages! Make sure they read okay too.
Thanks.
--
Anthony G. Basile, Ph. D.
Chair of Informati
me people found 2.6.32-r9 very stable and wanted me to keep it
last time I asked if I could axe it.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
o reproduce: command lines if possible
We forget emails quickly. We are reminded of bugs each time we search
for bugs assigned to us.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
ffer overflows
= pie = helps randomize process address space
= fortify-sources = tighten up glibc
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
edu/tinhat-downloads
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
trictions that RBAC would
give you on a workstation.
>
> Does CONFIG_PAX_MPROTECT_COMPAT have any effect on firefox and did
> mozilla refuse to patch their sources with the if !jit patch?
>
> Thanks
>
> Kc
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
oduction system because part
of the testing process is seeing what feedback I get from the community
on those kernels. Only when I've heard nothing bad, and run a kernel
myself for a while, do I mark it stable.
So I encourage people to play with ~arches in non-critical environments
and le
> requiring a pluginpath.ini, if you have say a sandboxed flash enabled
>> > firefox browser.
>> >
>
We need bug reports on these because I am not experiencing any problems
with the latest hardened-kernels and firefox/libreoffice. I haven't
tried opera but will now. Th
1 - 100 of 249 matches
Mail list logo
