2008/10/13 Matt Harrison <[EMAIL PROTECTED]>: > I'm still fiddling to get my firewall running smoothly on hardened/selinux > > I'm re-emerging various things but I'm seeing this: > > PIE hardening not applied, as your compiler doesn't default to PIE >
You set the "hardened" USE flag, which is normally exported by the standard hardened profile and, indeed, the equivalent sub-profiles in the selinux namespace. This is appropriate when using - and building - the hardened toolchain. In the case of glibc, it installs several patches to aid in the generation of system-wide PIE binaries and facilitates SSP handling. However, you are not actually using a suitable instance of gcc with the correct specs activated, presumably because you didn't begin with a hardened stage tarball - and toolchain - in the first instance (in turn, perhaps owing to the somewhat irregular nature of the SELinux installation process in Gentoo). The only supported compiler for this particular intent is gcc-3.4.6-r2 and you may peruse and switch between the available specs using the gcc-config tool. For further details, please refer to the following pages: http://www.gentoo.org/proj/en/hardened/primer.xml http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml Cheers, --Kerin
