Mailing List Archive

hardened linux pointers please
Greetings,

I am looking to build a new Opteron server soon, and I want to look at
securing it with SELinux.

Due to my own ignorance, I am a little confused as to the differences
between the Hardened project and SELinux, PaX, GRSecurity etc.

My feeling is that the hardened project is really a collection of
like-minded security projects (ie selinux, grsecurity, pax).
And that using the hardened USE flag binaries that support it will build
with hardened security features.

As I am building this new AMD64 system from scratch, where should I
start? What stage tarball should I be using? What livecd?

Most importantly what profile do I use?
/usr/portage/profiles/hardened/amd64/ or /usr/portage/profiles/selinux/ ?

Should I be using the selinux USE flag these days, or is that
depreciated in favour of the selinux profile? Should I have both?

My guess is that I should use the a PaX enabled kernel with SELinux, or
perhaps GRSecurity, or even both.

Any pointers to get me started would be most appreciated.

Cheers,

Chris
--
gentoo-security@gentoo.org mailing list
Re: hardened linux pointers please [ In reply to ]
Thanks Joey,

That was generally my feeling as well, however where does one start?

Should I be using the selinux profile?

Do I then extract stage3-x86-selinux-pie-ssp-20041123.tar.bz2

I assume I'll have to re-build it all with a newer version of GCC and
emerge -e system to get support for AMD64.

I can't see how if I use the hardened profile I get selinux support, so
I assume selinux profile is the only way to go, then emerge
hardened-sources and enable PaX and grsecurity and selinux too.

From the USE flag guide it says NOT to use USE=selinux, but to use the
selinux profile instead. I assume I can still use the hardened USE flag
though.

So, my thoughts are:

extract stage3-x86-selinux-pie-ssp-20041123.tar.bz2
emerge --sync
link /etc/make.profile to /usr/portage/profiles/selinux
update to newer GCC
edit make.conf to support -march=opteron
emerge -e system
then progress with rest of install

I'll see how i go with that, unless someone else has an idea as to what
I should be doing.

Cheers


Joey McCoy wrote:

>I am in no way an expert on these things, but this is what I've gathered
>in my experience:
>
>I would go with SELinux for the ACL-type of security rather than
>GRSecurity, mainly because I think there are ebuilds in portage to help
>setup SELinux for your specific software (selinux-squid,
>selinux-spamassassin, etc).
>
>With that said, the other non-ACL Related GRSecurity features are
>excellent. I would highly recommend poking around in there. There are some
>really nice things to play with.
>
>PaX is great as well, I would highly recommend checking out those options.
>
>Basically I'd recommend using all 3 of them, GRSecurity, PaX, and SELinux
>(as well as the other kernel security features hardened-dev-sources
>offers).
>
>HTH :)
>
>
>
>>Greetings,
>>
>>I am looking to build a new Opteron server soon, and I want to look at
>>securing it with SELinux.
>>
>>Due to my own ignorance, I am a little confused as to the differences
>>between the Hardened project and SELinux, PaX, GRSecurity etc.
>>
>>My feeling is that the hardened project is really a collection of
>>like-minded security projects (ie selinux, grsecurity, pax).
>>And that using the hardened USE flag binaries that support it will build
>>with hardened security features.
>>
>>As I am building this new AMD64 system from scratch, where should I
>>start? What stage tarball should I be using? What livecd?
>>
>>Most importantly what profile do I use?
>>/usr/portage/profiles/hardened/amd64/ or /usr/portage/profiles/selinux/ ?
>>
>>Should I be using the selinux USE flag these days, or is that
>>depreciated in favour of the selinux profile? Should I have both?
>>
>>My guess is that I should use the a PaX enabled kernel with SELinux, or
>>perhaps GRSecurity, or even both.
>>
>>Any pointers to get me started would be most appreciated.
>>
>>Cheers,
>>
>>Chris
>>--
>>gentoo-security@gentoo.org mailing list
>>
>>
>>
>>
>
>
>--
>gentoo-security@gentoo.org mailing list
>
>
>
>
--
gentoo-security@gentoo.org mailing list
Re: hardened linux pointers please [ In reply to ]
I am in no way an expert on these things, but this is what I've gathered
in my experience:

I would go with SELinux for the ACL-type of security rather than
GRSecurity, mainly because I think there are ebuilds in portage to help
setup SELinux for your specific software (selinux-squid,
selinux-spamassassin, etc).

With that said, the other non-ACL Related GRSecurity features are
excellent. I would highly recommend poking around in there. There are some
really nice things to play with.

PaX is great as well, I would highly recommend checking out those options.

Basically I'd recommend using all 3 of them, GRSecurity, PaX, and SELinux
(as well as the other kernel security features hardened-dev-sources
offers).

HTH :)

> Greetings,
>
> I am looking to build a new Opteron server soon, and I want to look at
> securing it with SELinux.
>
> Due to my own ignorance, I am a little confused as to the differences
> between the Hardened project and SELinux, PaX, GRSecurity etc.
>
> My feeling is that the hardened project is really a collection of
> like-minded security projects (ie selinux, grsecurity, pax).
> And that using the hardened USE flag binaries that support it will build
> with hardened security features.
>
> As I am building this new AMD64 system from scratch, where should I
> start? What stage tarball should I be using? What livecd?
>
> Most importantly what profile do I use?
> /usr/portage/profiles/hardened/amd64/ or /usr/portage/profiles/selinux/ ?
>
> Should I be using the selinux USE flag these days, or is that
> depreciated in favour of the selinux profile? Should I have both?
>
> My guess is that I should use the a PaX enabled kernel with SELinux, or
> perhaps GRSecurity, or even both.
>
> Any pointers to get me started would be most appreciated.
>
> Cheers,
>
> Chris
> --
> gentoo-security@gentoo.org mailing list
>
>


--
gentoo-security@gentoo.org mailing list
Re: hardened linux pointers please [ In reply to ]
Hi,

i'm not really sure if pax is really needed for amd64. The kernel could
use the NX bit to mark non executable pages (i think 2.6 does this for
you). Even -fstack-protector could be unneeded ( i can't think of a
feature fstack-protector provides which the NX-bit doesn't cope with).
I'm using grsecurity quite for a while and think of it as one of the
greatest security enhancements for the linux-kernel. You should use the
randomization parts (for tcp/ip sequences etc.). The chmod restrictions
are very nice, too. Logging should be activated for segfaulting
processes and forkdelays are also quite neat. Protecting /dev/kmem and
so on can give quite good security but some Xorg drivers don't work with
this, you have to test it.
For ACL i'm not quite experienced, it needs a lot of work and has to be
done very properly otherwise you gain nothing of it.

cu,
Ronny

Chris Smart wrote:
> Thanks Joey,
>
> That was generally my feeling as well, however where does one start?
>
> Should I be using the selinux profile?
>
> Do I then extract stage3-x86-selinux-pie-ssp-20041123.tar.bz2
>
> I assume I'll have to re-build it all with a newer version of GCC and
> emerge -e system to get support for AMD64.
>
> I can't see how if I use the hardened profile I get selinux support, so
> I assume selinux profile is the only way to go, then emerge
> hardened-sources and enable PaX and grsecurity and selinux too.
>
> From the USE flag guide it says NOT to use USE=selinux, but to use the
> selinux profile instead. I assume I can still use the hardened USE flag
> though.
>
> So, my thoughts are:
>
> extract stage3-x86-selinux-pie-ssp-20041123.tar.bz2
> emerge --sync
> link /etc/make.profile to /usr/portage/profiles/selinux
> update to newer GCC
> edit make.conf to support -march=opteron
> emerge -e system
> then progress with rest of install
>
> I'll see how i go with that, unless someone else has an idea as to what
> I should be doing.
>
> Cheers
>
>
> Joey McCoy wrote:
>
>> I am in no way an expert on these things, but this is what I've gathered
>> in my experience:
>>
>> I would go with SELinux for the ACL-type of security rather than
>> GRSecurity, mainly because I think there are ebuilds in portage to help
>> setup SELinux for your specific software (selinux-squid,
>> selinux-spamassassin, etc).
>>
>> With that said, the other non-ACL Related GRSecurity features are
>> excellent. I would highly recommend poking around in there. There are
>> some
>> really nice things to play with.
>>
>> PaX is great as well, I would highly recommend checking out those
>> options.
>>
>> Basically I'd recommend using all 3 of them, GRSecurity, PaX, and SELinux
>> (as well as the other kernel security features hardened-dev-sources
>> offers).
>>
>> HTH :)
>>
>>
>>
>>> Greetings,
>>>
>>> I am looking to build a new Opteron server soon, and I want to look at
>>> securing it with SELinux.
>>>
>>> Due to my own ignorance, I am a little confused as to the differences
>>> between the Hardened project and SELinux, PaX, GRSecurity etc.
>>>
>>> My feeling is that the hardened project is really a collection of
>>> like-minded security projects (ie selinux, grsecurity, pax).
>>> And that using the hardened USE flag binaries that support it will build
>>> with hardened security features.
>>>
>>> As I am building this new AMD64 system from scratch, where should I
>>> start? What stage tarball should I be using? What livecd?
>>>
>>> Most importantly what profile do I use?
>>> /usr/portage/profiles/hardened/amd64/ or
>>> /usr/portage/profiles/selinux/ ?
>>>
>>> Should I be using the selinux USE flag these days, or is that
>>> depreciated in favour of the selinux profile? Should I have both?
>>>
>>> My guess is that I should use the a PaX enabled kernel with SELinux, or
>>> perhaps GRSecurity, or even both.
>>>
>>> Any pointers to get me started would be most appreciated.
>>>
>>> Cheers,
>>>
>>> Chris
>>> --
>>> gentoo-security@gentoo.org mailing list
>>>
>>>
>>>
>>
>>
>>
>> --
>> gentoo-security@gentoo.org mailing list
>>
>>
>>
>>
> --
> gentoo-security@gentoo.org mailing list
>
>
--
gentoo-security@gentoo.org mailing list
Re: hardened linux pointers please [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd be careful with PaX. The maintainer stopped supporting it after a
serious flaw was found:

http://mirrorshades.net/~bda/foo/PaX_doom.txt

I guess there were patches for it, but...

That said, I've never used it, so maybe someone with some more
up-to-date information can tell us what the rest of the fallout of this
was.

- --Kevin

On Sat, Apr 02, 2005 at 09:38:29PM -0500, Joey McCoy wrote:

> I am in no way an expert on these things, but this is what I've gathered
> in my experience:
>
> I would go with SELinux for the ACL-type of security rather than
> GRSecurity, mainly because I think there are ebuilds in portage to help
> setup SELinux for your specific software (selinux-squid,
> selinux-spamassassin, etc).
>
> With that said, the other non-ACL Related GRSecurity features are
> excellent. I would highly recommend poking around in there. There are some
> really nice things to play with.
>
> PaX is great as well, I would highly recommend checking out those options.
>
> Basically I'd recommend using all 3 of them, GRSecurity, PaX, and SELinux
> (as well as the other kernel security features hardened-dev-sources
> offers).
>
> HTH :)
>
> > Greetings,
> >
> > I am looking to build a new Opteron server soon, and I want to look at
> > securing it with SELinux.
> >
> > Due to my own ignorance, I am a little confused as to the differences
> > between the Hardened project and SELinux, PaX, GRSecurity etc.
> >
> > My feeling is that the hardened project is really a collection of
> > like-minded security projects (ie selinux, grsecurity, pax).
> > And that using the hardened USE flag binaries that support it will build
> > with hardened security features.
> >
> > As I am building this new AMD64 system from scratch, where should I
> > start? What stage tarball should I be using? What livecd?
> >
> > Most importantly what profile do I use?
> > /usr/portage/profiles/hardened/amd64/ or /usr/portage/profiles/selinux/ ?
> >
> > Should I be using the selinux USE flag these days, or is that
> > depreciated in favour of the selinux profile? Should I have both?
> >
> > My guess is that I should use the a PaX enabled kernel with SELinux, or
> > perhaps GRSecurity, or even both.
> >
> > Any pointers to get me started would be most appreciated.
> >
> > Cheers,
> >
> > Chris
> > --
> > gentoo-security@gentoo.org mailing list
> >
> >
>
>
> --
> gentoo-security@gentoo.org mailing list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCUBXi6ENyPMTUmzoRAn8dAJ9GzQNPgz2wJgf4jyls74EJD7/Y5ACeKAO8
7AW3ZeDreGB9dAd7kYjwZl8=
=+R0r
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: PaX vulnerability (support dropout) [ In reply to ]
It appears disabling SEGMEXEC and/or RANDEXEC gets around this issue. I
don't use either of those due to other issues they presented. Seems the
other issues of PaX still work perfectly fine, or am I way off here?

The only issue left is someone else picking up the project. GRSecurity
almost disappeared a few months ago, I'm sure PaX will come back just as
GRSecurity did. ;)



> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'd be careful with PaX. The maintainer stopped supporting it after a
> serious flaw was found:
>
> http://mirrorshades.net/~bda/foo/PaX_doom.txt
>
> I guess there were patches for it, but...
>
> That said, I've never used it, so maybe someone with some more
> up-to-date information can tell us what the rest of the fallout of this
> was.
>
> - --Kevin
>
> On Sat, Apr 02, 2005 at 09:38:29PM -0500, Joey McCoy wrote:
>
>> I am in no way an expert on these things, but this is what I've gathered
>> in my experience:
>>
>> I would go with SELinux for the ACL-type of security rather than
>> GRSecurity, mainly because I think there are ebuilds in portage to help
>> setup SELinux for your specific software (selinux-squid,
>> selinux-spamassassin, etc).
>>
>> With that said, the other non-ACL Related GRSecurity features are
>> excellent. I would highly recommend poking around in there. There are
>> some
>> really nice things to play with.
>>
>> PaX is great as well, I would highly recommend checking out those
>> options.
>>
>> Basically I'd recommend using all 3 of them, GRSecurity, PaX, and
>> SELinux
>> (as well as the other kernel security features hardened-dev-sources
>> offers).
>>
>> HTH :)
>>
>> > Greetings,
>> >
>> > I am looking to build a new Opteron server soon, and I want to look at
>> > securing it with SELinux.
>> >
>> > Due to my own ignorance, I am a little confused as to the differences
>> > between the Hardened project and SELinux, PaX, GRSecurity etc.
>> >
>> > My feeling is that the hardened project is really a collection of
>> > like-minded security projects (ie selinux, grsecurity, pax).
>> > And that using the hardened USE flag binaries that support it will
>> build
>> > with hardened security features.
>> >
>> > As I am building this new AMD64 system from scratch, where should I
>> > start? What stage tarball should I be using? What livecd?
>> >
>> > Most importantly what profile do I use?
>> > /usr/portage/profiles/hardened/amd64/ or
>> /usr/portage/profiles/selinux/ ?
>> >
>> > Should I be using the selinux USE flag these days, or is that
>> > depreciated in favour of the selinux profile? Should I have both?
>> >
>> > My guess is that I should use the a PaX enabled kernel with SELinux,
>> or
>> > perhaps GRSecurity, or even both.
>> >
>> > Any pointers to get me started would be most appreciated.
>> >
>> > Cheers,
>> >
>> > Chris
>> > --
>> > gentoo-security@gentoo.org mailing list
>> >
>> >
>>
>>
>> --
>> gentoo-security@gentoo.org mailing list
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFCUBXi6ENyPMTUmzoRAn8dAJ9GzQNPgz2wJgf4jyls74EJD7/Y5ACeKAO8
> 7AW3ZeDreGB9dAd7kYjwZl8=
> =+R0r
> -----END PGP SIGNATURE-----
> --
> gentoo-security@gentoo.org mailing list
>
>


--
gentoo-security@gentoo.org mailing list
Re: hardened linux pointers please [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Smart wrote:

> Any pointers to get me started would be most appreciated.

Since no one else has spoken up, you may also ask this question on the
gentoo-hardened ML. You might get more/better answers.

- --
Bork Bork Bork!

Aaron Walker <ka0ttic@gentoo.org>
[. BSD | cron | forensics | shell-tools | commonbox | netmon | vim | web-apps ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCUDp4C3poscuANHARAgBkAJ9Crf2NDLsUaT5ph1naq8tq+NJ4/ACg2ieL
rNT6+wKCsCEXnlyscCjU86s=
=vWuG
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: hardened linux pointers please [ In reply to ]
Thanks for your advice, Ronny. I will look into it.

I won't need X cause it'll just be a server so hopefully that will take
care of a few bugs!

Cheers

Ronny Peine wrote:

>Hi,
>
>i'm not really sure if pax is really needed for amd64. The kernel could
>use the NX bit to mark non executable pages (i think 2.6 does this for
>you). Even -fstack-protector could be unneeded ( i can't think of a
>feature fstack-protector provides which the NX-bit doesn't cope with).
>I'm using grsecurity quite for a while and think of it as one of the
>greatest security enhancements for the linux-kernel. You should use the
>randomization parts (for tcp/ip sequences etc.). The chmod restrictions
>are very nice, too. Logging should be activated for segfaulting
>processes and forkdelays are also quite neat. Protecting /dev/kmem and
>so on can give quite good security but some Xorg drivers don't work with
>this, you have to test it.
>For ACL i'm not quite experienced, it needs a lot of work and has to be
>done very properly otherwise you gain nothing of it.
>
>cu,
>Ronny
>
>Chris Smart wrote:
>
>
>>Thanks Joey,
>>
>>That was generally my feeling as well, however where does one start?
>>
>>Should I be using the selinux profile?
>>
>>Do I then extract stage3-x86-selinux-pie-ssp-20041123.tar.bz2
>>
>>I assume I'll have to re-build it all with a newer version of GCC and
>>emerge -e system to get support for AMD64.
>>
>>I can't see how if I use the hardened profile I get selinux support, so
>>I assume selinux profile is the only way to go, then emerge
>>hardened-sources and enable PaX and grsecurity and selinux too.
>>
>>From the USE flag guide it says NOT to use USE=selinux, but to use the
>>selinux profile instead. I assume I can still use the hardened USE flag
>>though.
>>
>>So, my thoughts are:
>>
>>extract stage3-x86-selinux-pie-ssp-20041123.tar.bz2
>>emerge --sync
>>link /etc/make.profile to /usr/portage/profiles/selinux
>>update to newer GCC
>>edit make.conf to support -march=opteron
>>emerge -e system
>>then progress with rest of install
>>
>>I'll see how i go with that, unless someone else has an idea as to what
>>I should be doing.
>>
>>Cheers
>>
>>
>>Joey McCoy wrote:
>>
>>
>>
>>>I am in no way an expert on these things, but this is what I've gathered
>>>in my experience:
>>>
>>>I would go with SELinux for the ACL-type of security rather than
>>>GRSecurity, mainly because I think there are ebuilds in portage to help
>>>setup SELinux for your specific software (selinux-squid,
>>>selinux-spamassassin, etc).
>>>
>>>With that said, the other non-ACL Related GRSecurity features are
>>>excellent. I would highly recommend poking around in there. There are
>>>some
>>>really nice things to play with.
>>>
>>>PaX is great as well, I would highly recommend checking out those
>>>options.
>>>
>>>Basically I'd recommend using all 3 of them, GRSecurity, PaX, and SELinux
>>>(as well as the other kernel security features hardened-dev-sources
>>>offers).
>>>
>>>HTH :)
>>>
>>>
>>>
>>>
>>>
>>>>Greetings,
>>>>
>>>>I am looking to build a new Opteron server soon, and I want to look at
>>>>securing it with SELinux.
>>>>
>>>>Due to my own ignorance, I am a little confused as to the differences
>>>>between the Hardened project and SELinux, PaX, GRSecurity etc.
>>>>
>>>>My feeling is that the hardened project is really a collection of
>>>>like-minded security projects (ie selinux, grsecurity, pax).
>>>>And that using the hardened USE flag binaries that support it will build
>>>>with hardened security features.
>>>>
>>>>As I am building this new AMD64 system from scratch, where should I
>>>>start? What stage tarball should I be using? What livecd?
>>>>
>>>>Most importantly what profile do I use?
>>>>/usr/portage/profiles/hardened/amd64/ or
>>>>/usr/portage/profiles/selinux/ ?
>>>>
>>>>Should I be using the selinux USE flag these days, or is that
>>>>depreciated in favour of the selinux profile? Should I have both?
>>>>
>>>>My guess is that I should use the a PaX enabled kernel with SELinux, or
>>>>perhaps GRSecurity, or even both.
>>>>
>>>>Any pointers to get me started would be most appreciated.
>>>>
>>>>Cheers,
>>>>
>>>>Chris
>>>>--
>>>>gentoo-security@gentoo.org mailing list
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>--
>>>gentoo-security@gentoo.org mailing list
>>>
>>>
>>>
>>>
>>>
>>>
>>--
>>gentoo-security@gentoo.org mailing list
>>
>>
>>
>>
>--
>gentoo-security@gentoo.org mailing list
>
>
>
>
--
gentoo-security@gentoo.org mailing list
Re: PaX vulnerability (support dropout) [ In reply to ]
Has anyone been following the situation with PaX. I want very much to
continue using it, but the
recent issues surrounding it seem rather serious. Should we be disabing
PaX entirely on our systems
(i.e. recompiling the tool-chain) or just recompiling our kernels
without SEGMEXEC and RANDEXEC
enabled?


Joey McCoy wrote:

>It appears disabling SEGMEXEC and/or RANDEXEC gets around this issue. I
>don't use either of those due to other issues they presented. Seems the
>other issues of PaX still work perfectly fine, or am I way off here?
>
>The only issue left is someone else picking up the project. GRSecurity
>almost disappeared a few months ago, I'm sure PaX will come back just as
>GRSecurity did. ;)
>
>
>
>
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>I'd be careful with PaX. The maintainer stopped supporting it after a
>>serious flaw was found:
>>
>>http://mirrorshades.net/~bda/foo/PaX_doom.txt
>>
>>I guess there were patches for it, but...
>>
>>That said, I've never used it, so maybe someone with some more
>>up-to-date information can tell us what the rest of the fallout of this
>>was.
>>
>>- --Kevin
>>
>>On Sat, Apr 02, 2005 at 09:38:29PM -0500, Joey McCoy wrote:
>>
>>
>>
>>>I am in no way an expert on these things, but this is what I've gathered
>>>in my experience:
>>>
>>>I would go with SELinux for the ACL-type of security rather than
>>>GRSecurity, mainly because I think there are ebuilds in portage to help
>>>setup SELinux for your specific software (selinux-squid,
>>>selinux-spamassassin, etc).
>>>
>>>With that said, the other non-ACL Related GRSecurity features are
>>>excellent. I would highly recommend poking around in there. There are
>>>some
>>>really nice things to play with.
>>>
>>>PaX is great as well, I would highly recommend checking out those
>>>options.
>>>
>>>Basically I'd recommend using all 3 of them, GRSecurity, PaX, and
>>>SELinux
>>>(as well as the other kernel security features hardened-dev-sources
>>>offers).
>>>
>>>HTH :)
>>>
>>>
>>>
>>>>Greetings,
>>>>
>>>>I am looking to build a new Opteron server soon, and I want to look at
>>>>securing it with SELinux.
>>>>
>>>>Due to my own ignorance, I am a little confused as to the differences
>>>>between the Hardened project and SELinux, PaX, GRSecurity etc.
>>>>
>>>>My feeling is that the hardened project is really a collection of
>>>>like-minded security projects (ie selinux, grsecurity, pax).
>>>>And that using the hardened USE flag binaries that support it will
>>>>
>>>>
>>>build
>>>
>>>
>>>>with hardened security features.
>>>>
>>>>As I am building this new AMD64 system from scratch, where should I
>>>>start? What stage tarball should I be using? What livecd?
>>>>
>>>>Most importantly what profile do I use?
>>>>/usr/portage/profiles/hardened/amd64/ or
>>>>
>>>>
>>>/usr/portage/profiles/selinux/ ?
>>>
>>>
>>>>Should I be using the selinux USE flag these days, or is that
>>>>depreciated in favour of the selinux profile? Should I have both?
>>>>
>>>>My guess is that I should use the a PaX enabled kernel with SELinux,
>>>>
>>>>
>>>or
>>>
>>>
>>>>perhaps GRSecurity, or even both.
>>>>
>>>>Any pointers to get me started would be most appreciated.
>>>>
>>>>Cheers,
>>>>
>>>>Chris
>>>>--
>>>>gentoo-security@gentoo.org mailing list
>>>>
>>>>
>>>>
>>>>
>>>--
>>>gentoo-security@gentoo.org mailing list
>>>
>>>
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.4.1 (GNU/Linux)
>>
>>iD8DBQFCUBXi6ENyPMTUmzoRAn8dAJ9GzQNPgz2wJgf4jyls74EJD7/Y5ACeKAO8
>>7AW3ZeDreGB9dAd7kYjwZl8=
>>=+R0r
>>-----END PGP SIGNATURE-----
>>--
>>gentoo-security@gentoo.org mailing list
>>
>>
>>
>>
>
>
>--
>gentoo-security@gentoo.org mailing list
>
>

--
gentoo-security@gentoo.org mailing list
Re: PaX vulnerability (support dropout) [ In reply to ]
dante wrote:

> Has anyone been following the situation with PaX. I want very much to
> continue using it, but the
> recent issues surrounding it seem rather serious. Should we be disabing
> PaX entirely on our systems
> (i.e. recompiling the tool-chain) or just recompiling our kernels
> without SEGMEXEC and RANDEXEC
> enabled?

No need to workaround the problem. This has been fixed, so you should
just switch to a fixed kernel :

latest gentoo-sources
hardened-sources-2.4.28-r5
hardened-dev-sources-2.6.11-r1
grsec-sources-2.4.29.2.1.3

see progress on https://bugs.gentoo.org/show_bug.cgi?id=84167

--
Koon
--
gentoo-security@gentoo.org mailing list