On Wed, Nov 27, 2013 at 02:26:20PM +0100, Jan Cholasta wrote: > Hi, > > the attached patches fix <https://fedorahosted.org/freeipa/ticket/4010>. > > Honza > > -- > Jan Cholasta
> >From 27fe562102962416f3db17b1b30be978a8c201b3 Mon Sep 17 00:00:00 2001 > From: Jan Cholasta <jchol...@redhat.com> > Date: Wed, 27 Nov 2013 13:13:16 +0000 > Subject: [PATCH 1/2] Use hardening flags for ipa-optd. > > https://fedorahosted.org/freeipa/ticket/4010 > --- > daemons/ipa-otpd/Makefile.am | 2 +- > freeipa.spec.in | 4 ++++ > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am > index ed99c3e..f0b7528 100644 > --- a/daemons/ipa-otpd/Makefile.am > +++ b/daemons/ipa-otpd/Makefile.am > @@ -1,5 +1,5 @@ > AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ > -AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ > +AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie > -Wl,-z,relro -Wl,-z,now > > noinst_HEADERS = internal.h > libexec_PROGRAMS = ipa-otpd > diff --git a/freeipa.spec.in b/freeipa.spec.in > index 35b8714..8ee69fc 100644 > --- a/freeipa.spec.in > +++ b/freeipa.spec.in > @@ -5,6 +5,10 @@ > %global POLICYCOREUTILSVER 2.1.12-5 > %global gettext_domain ipa > > +%if (0%{?fedora} > 15 || 0%{?rhel} >= 7) > +%define _hardened_build 1 > +%endif > + I'm sorry, I removed Martin's e-mail by accident so I'll reply here. I think defining the hardened build globally is fine, the only performance impact is during startup and only small. AFAIR, the C utilities in IPA are mostly daemons and you really want to have full RELRO enabled there. The only gotcha we found so far (well, Nalin did) was that SELinux was not happy with full RELRO on some exotic architectures, like s390x _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
