gmane.linux.gentoo.hardened

tg3 driver - transmit timed out, resetting

David Sommerseth — 2008-11-28T13:28:15

Hello Folks! Maybe some of you have seen this before, or know something ... I have a Broadcom NetXtreme card which have locked up twice within 13 days. I upgraded to the 2.6.25-hardened-r8 kernel mid-october, and have a feeling this upgrade introduced this issue. Before that I was linux-2.6.22-hardened-r8 for over a year without any problems. The log entries from both episodes are identical. Any hints? Are there any safe 2.6.26 or 2.6.27 kernels available? kind regards, David Sommerseth ---------------------------------------------------------------------------- 06:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5721 Gigabit Ethernet PCI Express (rev 21) Subsystem: IBM eServer xSeries server mainboard Flags: bus master, fast devsel, latency 0, IRQ 219 Memory at d8200000 (64-bit, non-prefetchable) [size=64K] Capabilities: [48] Power Management version 2 Capabilities: [50] Vital Product Data Capabilities: [58] Message Sign

whitelist of apps granted network access?

Jan Klod — 2008-11-25T15:13:03

Is there some known good way to make an effective whitelist of applications, which are granted network access? By the way, there is another related question: I remember, I once started googleearth as user1 and had firefox running as user2; really, googleearth opened link into user2's firefox! So I can easily have an illusion of protection such a way (user1 application bypasses firewall by signalling user2 application somehow). What the question really is? How can I know, that particular application can make / accept a dangerous signal (or other interprocess comm.) and how can I forbid that, if necessary? Jan

hardened workstation - is that worth it?

Jan Klod — 2008-11-25T15:00:45

Suppose, I want to take some extra precautions and set up PaX&co and MAC on a workstation with Xorg and other nice KDE apps (only some of which should be granted access to files in folder X). I would like to read others opinion, if I can get considerable security improvements or I will have to make that much of exceptions to those good rules, as it makes protection too useless? Regards, Jan

How to compile with hardened toolchain?

Jan Klod — 2008-11-24T20:06:14

Please, could someone give a short introduction in how should I make sure, I am compiling with hardened features support? And if I do manually with some "make" or "gcc" or "g++"? Thank you...

Isolate users/programs?

Jan Klod — 2008-11-24T20:03:56

Well, the idea is: if program is started with userid N != 0, what are the ways it can access the information, it is supposed to be forbidden to access in a normal Linux configuration (other users info)? As you might think, I am not really sure of what I need other than a way to forbid all the users access to other users files unless they are in a group and permissions allow it. Many wild things can happen, I just think, this might be a good place where I could ask. For example: I install mailserver or run samba on a server, where some other things are going on and I totally don't want them to interfare in any possible way unless it has been intended. Hope, I made it clear enough... Jan

Grsecurity: Role flag "G" problem

2008-11-23T09:48:51

Since I've upgraded to a kernel based on 2.6.27 (2.6.27-hardened-r1), some error messages are logged every time I authenticate myself as root. " Nov 23 10:09:44 hostname grsec: (root:U:/sbin/gradm) denied access to hidden file /root by /sbin/gradm[gradm:7187] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:7033] uid/euid:0/0 gid/egid:0/0 " Role flag "G" is specified for root in order to make this user able to authenticate using gradm. Some directories - including boot - are hidden. No matter if I replace "h" to "hs" for role root, these messages still get logged. If I try to create a policy for gradm, grsec reports, that I've tried to modify an already existing instance - which is probably included because Role flag "G", but the exact contents are hidden. This behavior appeared recently. Did I miss something? Any ideas on this are greatly appreciated. Is it discouraged to authenticate using gradm while logged in as root? Regards, Dw.

Tin Hat Linux 20081025 released

dante — 2008-10-30T15:14:30

Hello everyone, I just wanted to make the list aware that a new release of Tin Hat is out. This release did not add new features, but addressed some bugs/security issues. The major changes included the kernel upgraded to hardened 2.6.25-r8, gnome upgraded to 2.22.3 and postfix upgraded to 2.5.5 to address a security issue. For those unfamiliar with Tin Hat, it is a linux distro derived from hardened Gentoo which aims to provide a very secure, stable and fast Desktop environment that lives purely in RAM. Home page: http://opensource.dyc.edu/tinhat Downloads: http://opensource.dyc.edu/tinhat-downloads --Tony Basile

SELinux boot errors - udev/dhcpcd

George Socker — 2008-10-28T22:31:49

Hello, I'm trying to install SELinux on a freh Gentoo install and have followed the guide, but they system will not boot in enforcing mode. The are numerous messages that say Unable to exec /lib64/udev/path_id:Permission denied. The initscripts then get stuck when running DHCP for an address, and that's as far as I have gotten. I have tried relabeling repeatedly. Any idea what's going on? Thanks

I want use bastille..

Ernesto Rodriguez Ortiz — 2008-10-27T18:33:10

Hello, what version of bastille work fine with gentoo.2008 I'm trying to install a server with selinux-hardened profile. I read about Bastille project in http://www.gentoo.org/proj/en/hardened/ and I want use it in my server, I installed a version masked in /usr/portage/profiles/package.mask, but it don't work just like it write there. What I have to do for use bastille? これも通過する.. Eroz.

Stopping libselinux being linked

Matt Harrison — 2008-10-26T16:02:24

Well I've given up on selinux now and I'm trying to just get rid of selinux and just use a hardened system. I've change my profile and recompiled the system so none of it is using the selinux flag. The problem is that even though the selinux USE flag isn't exabled, packages like coreutils are still linking into libselinux. So if I remove libselinux and all the selinux related packages, it breaks a whole load of binaries on the system, so much so that I can't recompile packages afterwards. How should I proceed to eradicate selinux from my system? or am I stuck with the libraries now until I do a full re-install? Thanks Matt

Failure when "switching" to hardened-gentoo profile

Jan Klod — 2008-10-25T18:44:21

Hello. I was trying to make a switch form normal, freshly installed gentoo to hardened like described in PaX quickstart. http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml Though, that guide is missing to inform about when should I boot hardened-sources. Not sure if after "emerge binutils gcc virtual/libc" or "emerge -e world", but I got this error, which persists: ============================================================================ *** stack smashing detected ***: cc1 - terminated cc1: stack smashing attack in function ix86_split_to_parts - terminated Report to http://bugs.gentoo.org/ i686-pc-linux-gnu-gcc: Internal error: Killed (program cc1) Please submit a full bug report. See for instructions. make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/s_catanl.o] Error 1 make[2]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.6.1/work/glibc-2.6.1/math' make[1]: *** [math/others] Error 2 make[1]: Leaving director

Autoreply: bastille

2008-10-24T15:00:54

What if I won't need multilib after couple of years?

Jan Klod — 2008-10-17T11:19:06

Good day to you all! Will move away from multilib automatically force me to make a fresh install of whole system, which is painful? Will there be serious performance looses, if I use multilib (is the bulk of GNU software running in 64 then)? And one more transition question: how about move from gentoo to hardened-* after gentoo is installed? /installing fresh system now.../

glibc not using PIE

Matt Harrison — 2008-10-13T21:52:35

I'm still fiddling to get my firewall running smoothly on hardened/selinux I'm re-emerging various things but I'm seeing this: PIE hardening not applied, as your compiler doesn't default to PIE When emerging glibc, google doesn't have any answers... Any ideas? thanks Matt

/etc/init.d/named stop hangs

Markus Bartl — 2008-10-08T12:45:54

/etc/init.d/dhcpd start -> error

Markus Bartl — 2008-10-06T15:04:15

problem with Apache2::Request

P.V.Anthony — 2008-10-02T23:07:50

Hi, Currently just not able to get Apache2::Request to work on Gentoo hardened amd64. Did an emerge of www-apache/libapreq2-2.08-r2 and all compiled fine. Did the following test using a simple perl script as follows, perl test.pl The contents of test.pl is as follows. ----------- start ------------------ use strict; use Apache2::Request; ------------ end ------------------- Got the following error, ------------ start ---------------------- Can't load '/usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/auto/APR/ Request/Apache2/Apache2.so' for module APR::Request::Apache2: /usr/lib64/perl5/s ite_perl/5.8.8/x86_64-linux-thread-multi/auto/APR/Request/Apache2/Apache2.so: un defined symbol: modperl_xs_sv2request_rec at /usr/lib64/perl5/5.8.8/x86_64-linux -thread-multi/DynaLoader.pm line 230. at /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/Apache2/Reque

SELinux boot errors

Markus Bartl — 2008-10-01T06:45:17

Password vor sysadm_r

Markus Bartl — 2008-09-28T08:04:01

Hi there. Ist there any chance to set a different password for the sysadm_r role than the root password? Excuse me if my questions seem dumb, but im doing my first steps in SELinux. Lets describe my goal: I want to let cron do its job as its supposed to do. But : I want manipulation of the scripts getting lauched by cron only to be possible in sysadm_r. And i want the command "crontab -e" only to be available in sysadm_r. Thanks and I hope nobody will lose patience ;-) Many kind regards, Markus

Documentation

Markus Bartl — 2008-09-27T21:04:00

Hi there. Can anybody recommend a good documentation with examples or maybe a good tutorial on SELinux? I suppose I got a bit of a lack in basic knowlegdge on things concerning SELinux. Thanks and many kind regrads, Markus

weak policy?

Markus Bartl — 2008-09-27T13:38:51

Hi there. Ive got my SELinux kernel up and running. What im wondering about is that i can restart services without changing to the sysadm_r role. Im logged on as root but root belongs only to staff_r. Do I have to worry about it or is this just as expected? Im new to SELinux. Just dealed with regular hardened stuff so I get lost in the basics i guess. Regards, Markus