Hello everyone,
I'm trusted with building a hardened server. I'm using Gentoo on my
desktops for years, so hardened Gentoo is an obvious choice for me.
But there is one thing which disturbs me: Since Gentoo (and hardened
Gentoo) is sourcebased, i'll need a complete toolchain to keep the
system up
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 26.12.2011 19:57, Anthony G. Basile wrote:
> Hi everyone,
>
> For a while now, we've been supporting three predefined grsec
> profiles in the hardened-sources kernel. Upstream provides four.
> These are
>
> GRKERNSEC_LOW GRKERNSEC_MEDIUM GRKERNSE
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02.01.2012 20:45, Matthew Thode (prometheanfire) wrote:
> On Mon, 02 Jan 2012 13:39:45 -0500 "Anthony G. Basile"
> wrote:
>
>> On 01/02/2012 06:14 AM, pagee...@freemail.hu wrote:
>>> On 2 Jan 2012 at 1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 15.02.2012 17:39, Grant wrote:
> Firefox won't compile on my system due to the issue
> described here:
>
> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>
FWIW: I had no trouble compiling Firefox 9.0 on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 19.02.2012 20:06, "Tóth Attila" wrote:
> The email I replied to was originally posted by "Hinnerk van
> Bruinehsen".
>
> Let's see my question in details, that might clarify it. Here is
> the part
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 19.02.2012 20:06, "Tóth Attila" wrote:
> The email I replied to was originally posted by "Hinnerk van
> Bruinehsen".
>
> Let's see my question in details, that might clarify it. Here is
> the part
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 27.02.2012 21:15, Sven Vermeulen wrote:
> On Mon, Feb 27, 2012 at 09:53:41PM +0200, Cor Legmaat wrote:
This is what I get with gnome-terminal:
> cor@k53s ~ $ id -Z system_u:system_r:initrc_t cor@k53s ~ $
> ssh 127.0.0.1 Last login: Mon
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 21.04.2012 13:05, Anthony G. Basile wrote:
> Hi everyone,
>
> I'd like to remove USE="-unicode" from make.defaults at the root
> level of all hardened profiles. The request came from jmbsvicetto
> because he required it for the hardened stages to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
at the moment the thunderbird-ebuild in the tree does a "pax mark m"
on the binary.
At least for me thunderbird works fine if I just disable jit.
What would be the workflow for reporting that. Should I file a bugreport?
With kind regards
Hinner
On 17.05.2012 20:25, Radek Madej wrote:
> Hi,
>
> On Wednesday 16 May 2012 17:29:44 Anthony G. Basile wrote:
>> On 05/16/2012 12:12 PM, PaX Team wrote:
>>> On 16 May 2012 at 16:39, Hinnerk van Bruinehsen wrote:
>>>
>>>> at the moment the thunderbird-e
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 18.05.2012 09:18, Matthew Thode wrote:
> On 05/17/2012 01:42 PM, RB wrote:
>> On Thu, May 17, 2012 at 6:04 AM, Anthony G. Basile
>> wrote:
>>> Please open a bug, attach both config files. It would be
>>> useful if you also identify on which optio
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 20.05.2012 22:09, Grant wrote:
> Does anyone know if hardened-sources includes the Gentoo patchset?
>
> - Grant
>
The ebuild names GENPATCHES_URI as a downloadsource.
In the Changelog are entries like:
14 May 2012; Anthony G. Basile
+hardened
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 26.05.2012 21:30, Sven Vermeulen wrote:
> Hi guys,
>
> I've made an attempt to document, in a high-level and simple
> approach, the changes made to a SELinux installation since a
> particular date. This might help users, who have installed SELinux
he way is in the
older versions defined two times). If I remove the "execute" from
db_schema it builds. I don't know if db_schema needs execute, if not
it should be dropped, otherwise execute should be defined for
db_schema, I think.
WKR
Hinnerk van Bruinehsen
-BEGIN PG
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 27.06.2012 09:19, Alex Efros wrote:
> Hi!
>
>> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP #
>> ip6tables -A FORWARD -j DROP There you are safe now.
>
> Safe, but don't working. Do you enable ipv6 USE flag just to force
> people to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 21.07.2012 15:51, Ivan Gooten wrote:
> hello,
>
> I have just installed selinux on my gentoo box, and getting
> difficulties in permissive mode. If someone can have a look at this
> and point me somewhere...
>
> Emerge doesn't work If i run it fro
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 17.08.2012 08:56, Grant wrote:
>> I recently moved my server from:
>>
>> 3.2.11-hardened Security Level (Hardened Gentoo [server])
>>
>> to:
>>
>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>> (Server) Virtualization Type (None) R
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 17.08.2012 11:47, Grant wrote:
I recently moved my server from:
3.2.11-hardened Security Level (Hardened Gentoo [server])
to:
3.4.5-hardened Configuration Method (Automatic) Usage Type
(Server) Virtualizat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 22.08.2012 09:12, f.p.barile@gmail.com2 wrote:
> Hi Sven, nice to meet you again and thank you for your work in
> SELinux and for your help.
>
> I did as you suggested reading the denials step by step. Anyway I
> didn't find a way to start pulseaud
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 26.10.2012 17:45, Stan Sander wrote:
> Probably something I don't have tweaked just right, but a while ago
> when I tried to sudo it failed. I built this system at least 6
> months ago and followed the procedures that were posted at that
> time, bu
On Mon, Dec 17, 2012 at 02:45:46PM -0800, Grant wrote:
> I noticed the Processor Family list is much smaller in hardened-sources
> than in other kernels, even with CONFIG_GRKERNSEC disabled. Is that an
> unavoidable side-effect of the patches, or can I enable/disable something
> to bring the full
On Wed, Dec 19, 2012 at 01:22:21PM -0800, Grant wrote:
> > > I noticed the Processor Family list is much smaller in hardened-sources
> > > than in other kernels, even with CONFIG_GRKERNSEC disabled. Is that an
> > > unavoidable side-effect of the patches, or can I enable/disable
> something
> > >
Hi,
maybe I can help you. I hit a similar problem a while ago.
I presume that you use a tmpfs for /run. If that's the case you may need
to relabel /dev/utmp (not inside the tmpfs but on the disk itself - use
bindmount and the instructions for relabeling /lib from the handbook or
unmount run).
Ano
Normally you should have build nearly everything with PIE (there is a
nifty but a little bit outdated script called checksec.sh) - on my
system (Desktop with KDE right now) every running process has PIE
enabled.
You can enable and disable it via gcc-config (there are nopie and nopic
and vanilla com
On Sun, May 12, 2013 at 09:14:29PM -0600, Stan Sander wrote:
> I doubt this is specifically a hardened issue, but this is the only list
> I'm currently subscribed to and I know there are some very savvy folks
> who hang out here. I've been poking at this issue off and on for a
> couple of months (
On Mon, May 13, 2013 at 10:34:09AM -0600, Stan Sander wrote:
> On 05/13/2013 03:03 AM, Hinnerk van Bruinehsen wrote:
> > Hi,
> >
> > I'd bet on libffi as the culprit. You may try to use the version from
> > the hardened overlay (there was one that should patch t
On Mon, May 13, 2013 at 09:55:38AM -0600, Stan Sander wrote:
> On 05/13/2013 02:44 AM, Alexander Tsoy wrote:
> > Hello! Do you have errors like 'grsec: denied RWX mprotect of ...' in
> > dmesg or journal? Also see this bug report:
> > https://bugs.gentoo.org/show_bug.cgi?id=455938
> I'm not using
On Wed, Sep 11, 2013 at 11:44:07PM +0300, Balint Szente wrote:
> On Wed, 11 Sep 2013 19:55:13 +0200
> Amadeusz Sławiński wrote:
>
> > [...]
> > > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR=y
> > > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="or"
> > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR:
> > This method is incom
On Wed, Sep 18, 2013 at 11:14:44AM +0200, Andreas Prieß wrote:
> Hei!
>
> I see that hardened-sources-3.10.10 and 3.10.11 were removed because of
> bug #485120.
>
> I just wanted to note that for me the currently stable 3.10.1-r1 has a
> reproducible kernel panic while booting on my AMD FX-8150 (
On Sat, Sep 21, 2013 at 07:55:40PM +0300, Balint Szente wrote:
> Hello Anthony!
>
>
> pypaxctl itself works, but I found the way to reproduce the issue:
>
> 1. Set the PT flags for the nvidia GL library:
>
> # paxctl -c /usr/lib/opengl/nvidia/lib/libGL.so.325.15
> # paxctl-ng -em /usr/lib/opengl/nv
Hi,
If one builds Xorg it's build with only partial RELRO enabled (test e.g. with
checksec.sh).
This is caused by the xorg-2.eclass and affects seemingly all packages that use
that eclass (It has a conditional that checks if hardened is used and filters
some flags).
Does anyone know why this is th
On Tue, Oct 01, 2013 at 11:59:33AM +0200, "Tóth Attila" wrote:
> You made me curious, so I took a look at on this.
>
> The eclass has a single function stating: "Set up CFLAGS for a debug
> build" in its description. Although it is not conditional for debug
> builds, so gets applied all the time, b
On Tue, Oct 01, 2013 at 06:54:10PM +0300, Alex Efros wrote:
> Hi!
>
> On Tue, Oct 01, 2013 at 04:35:29PM +0200, Hinnerk van Bruinehsen wrote:
> > I've had no time to create a hardened environment on my only nvidia machine
> > to
> > test nouveau and nvidia (the
On Tue, Oct 01, 2013 at 10:34:07PM +0300, Alex Efros wrote:
> Hi!
>
> On Tue, Oct 01, 2013 at 09:21:00PM +0200, Hinnerk van Bruinehsen wrote:
> > If you want to try, you could try the xorg-2.eclass from here:
> >
> > https://github.com/N8Fear/hvb-overlay/blob/
On Thu, Oct 16, 2014 at 08:02:21PM -0400, James Cloos wrote:
> I'm testing the hardened/musl profile.
>
> The initial emerge world wants to downgrade some (but not all) of the
> packages which have replacements in hardened-dev. They include:
>
> sys-apps/tcp-wrappers-7.6.22-r1::gentoo [7.6.22-r
35 matches
Mail list logo
