Kerin Millar wrote: > 2008/10/13 Matt Harrison <[EMAIL PROTECTED]>: >> I'm still fiddling to get my firewall running smoothly on hardened/selinux >> >> I'm re-emerging various things but I'm seeing this: >> >> PIE hardening not applied, as your compiler doesn't default to PIE >> > > You set the "hardened" USE flag, which is normally exported by the > standard hardened profile and, indeed, the equivalent sub-profiles in > the selinux namespace. This is appropriate when using - and building - > the hardened toolchain. In the case of glibc, it installs several > patches to aid in the generation of system-wide PIE binaries and > facilitates SSP handling. However, you are not actually using a > suitable instance of gcc with the correct specs activated, presumably > because you didn't begin with a hardened stage tarball - and toolchain
Well I installed from the stage3-hardened 2008 tarball...then I recompiled most of it for selinux, all the time my profile was set to selinux-hardened. > - in the first instance (in turn, perhaps owing to the somewhat > irregular nature of the SELinux installation process in Gentoo). The > only supported compiler for this particular intent is gcc-3.4.6-r2 and > you may peruse and switch between the available specs using the > gcc-config tool. Maybe it's defaulting to using 4.x and that isn't hardened. For further details, please refer to the following > pages: > > http://www.gentoo.org/proj/en/hardened/primer.xml > http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml > > Cheers, > > --Kerin > Thanks I will look at them. I'm still having plenty of problems with running network services under selinux enforced mode, but I'm trying to sort the problems from the ground up at the moment :) Matt
