headers
Alex Efros | 20 May 23:35
Favicon
Gravatar

xattr/acl/cap

Hi!

I'm not sure is this right place to ask…

What is current status for filesystem's xattr, acl and caps?

I'm usually keep all of this disabled in kernel, because I don't use them
and wanna avoid needless complexity. But today consolekit (which I don't
use, but which is installed anyway as someone's dependency) asked me to
enable CONFIG_TMPFS_POSIX_ACL. And I decide to check all this crap once again.

I may be wrong here, but after glance look at it I got this impression:

XATTR
    Needed only if you use ACL or CAPS (or wanna play with custom file
    attributes).
ACL
    Not sure about consolekit requirement above, but otherwise it looks
    useless (if you don't need to use complicated file permissions).
CAPS
    Looks promising, it's always good to remove suid bit, BUT:
    a)	looks like only app which uses it now on my workstation is
	wireshark, even /bin/ping is still installed suid
    b)	pam_cap.so doesn't used by default (not sure why) so you can't change
	user's default capabilities using /etc/security/capability.conf

So, until most/all suid apps in portage get CAPS support for me it looks
like it's better to switch off all these things.

--

--
(Continue reading)

Permalink | Reply | 4 comments |
headers
Grant | 20 May 22:09
Picon

Does hardened-sources include the Gentoo patchset?

Does anyone know if hardened-sources includes the Gentoo patchset?

- Grant
Permalink | Reply | 2 comments |
headers
Kevin Chadwick | 18 May 12:39
Picon
Favicon

Re: systemd and gentoo

On Fri, 18 May 2012 10:29:41 +0000
Pavel Labushev wrote:

>  does pid file inspection

has regex matching now

Fair enough but for me, I prefer a simple and scripted init system.
Permalink | Reply | 0 comments |
headers
Kevin Chadwick | 18 May 09:56
Picon
Favicon

Re: systemd and gentoo

On Fri, 18 May 2012 02:56:06 +0000
Pavel Labushev wrote:

> try making your own custom scripts for runit, minit or
> similar minimalistic supervisor together with sudo or su for PAM
> support (setuid-root isn't required for root->unprivileged uid
> changes). It's simple, fast, maintainable and could be documented
> without much effort.

What's wrong with init respawn or supervise and/or monit?
Permalink | Reply | 1 comment |
headers
Alex Efros | 18 May 06:51
Favicon
Gravatar

Re: systemd and gentoo

Hi!

On Fri, May 18, 2012 at 02:56:06AM +0000, Pavel Labushev wrote:
> > Somebody should pull the brakes, please.
> My humble advise: try making your own custom scripts for runit, minit or

Actually, if you decide to go this way, you probably find packages from my
overlay 'powerman' is good starting point:
- Use my sys-process/runit instead of ebuild in main portage.
  My version doesn't install boot scripts /etc/runit/{1,2,3}, because
  examples of these files installed by portage version of runit are trying
  to boot system using gentoo usual way, thus turning runit into mostly
  senseless drop-in replacement for /sbin/init.
- My package power-misc/runit-scripts provide /etc/runit/{1,2,3} boot
  scripts implemented in native for runit way. They are very small (about
  200 lines bash script used to completely boot and initialize system)
  and easy to update for your needs.
- My packages runit-service/service-* will provide you with scripts to run
  many daemons under runit supervision.

Together these packages provide complete replacement for gentoo default
boot scripts and services (in /etc/init.d/*). I'm using this for many
years on my home workstation and all servers, and all my friends who use
Gentoo also use this way to boot system and run services because it's much
simpler and reliable.

--

-- 
			WBR, Alex.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tóth Attila | 18 May 03:01
Picon
Gravatar

systemd and gentoo

I've recently come across some articles about the hal - dbus - udev -
consolekit - upower udisks - systemd movement. And there's openrc. A
couple of months before I converted the systems to openrc.
What we should prepare for next? When will it happen? Is it already
happening?
Somebody should pull the brakes, please.

Regards:
Dw.
--

-- 
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
Permalink | Reply | 3 comments |
headers
RB | 16 May 18:54
Picon

hardened-sources-3.2.11 + i965 + x.org: possible regression

I'm planning on submitting a bug, but thought I'd poll the population
first since I'm having trouble putting together a good bug report
(solid lockup).

It's been a while since I updated the kernel on my T61, was at
hardened-sources-3.2.1.  Updating to 3.3.6 this week produced a viable
kernel, but when X starts the system locks hard.  In trying different
kernels I've found that the regression is somewhere between the
3.2.2-r1 and 3.2.11 versions in the mainstream portage tree.  The
following is the only dump I've been able to capture, as about 9/10
the system locks beyond SSH recovery; apologies for the zram/zcache
taint, it was captured before I started debugging and eliminated
those.  It is, however, consistent with all subsequent ones I've seen
(same IP, same call trace).  I do notice that 'make oldconfig' in the
3.2.11 tree with the config from 3.2.2-r1 comes up with a single new
option, CONFIG_KCOPY.  Thoughts?

BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
IP: [<ffffffff81278070>] i915_gem_execbuffer_reserve.clone.10+0x14/0x330
PGD 7660e000
Oops: 0000 [#1] SMP
CPU 1
Modules linked in: af_packet xt_tcpudp nf_conntrack_ipv4
nf_defrag_ipv4 xt_state nf_conntrack iptable_filter ip_tables
ip6table_filter ip6_tables x_tables ipv6 xfs zcache(C) zram(C) loop
fuse fat kvm_intel kvm isofs tun snd_hda_codec_analog pcmcia arc4
sr_mod cdrom sdhci_pci firewire_ohci pcspkr i2c_i801 sdhci
yenta_socket mmc_core firewire_core iwl4965 pcmcia_rsrc pcmcia_core
crc_itu_t iwl_legacy snd_hda_intel mac80211 uhci_hcd ehci_hcd
snd_hda_codec cfg80211 snd_hwdep snd_pcm usbcore snd_page_alloc e1000e
(Continue reading)

Permalink | Reply | 23 comments |
headers
Hinnerk van Bruinehsen | 16 May 16:39
Picon
Picon
Favicon
Gravatar

Paxmarkings on mail-client/thunderbird


Hi,

at the moment the thunderbird-ebuild in the tree does a "pax mark m"
on the binary.
At least for me thunderbird works fine if I just disable jit.

What would be the workflow for reporting that. Should I file a bugreport?

With kind regards

Hinnerk

PS: It follows a "proof of concept"-ebuild (just the diff) that works
for me:

--- /usr/portage/mail-client/thunderbird/thunderbird-12.0.1.ebuild
2012-05-08 11:31:16.000000000 +0200
+++ thunderbird-12.0.1.ebuild	2012-05-16 16:34:26.111099366 +0200
@@ -33,7 +33,8 @@
 KEYWORDS="~alpha ~amd64 ~arm ~ppc ~ppc64 ~x86 ~x86-fbsd ~amd64-linux
~x86-linux"
 SLOT="0"
 LICENSE="|| ( MPL-1.1 GPL-2 LGPL-2.1 )"
-IUSE="bindist gconf +crashreporter +crypt +ipc +lightning +minimal
mozdom +webm"
+IUSE="bindist gconf +crashreporter +crypt +ipc +lightning +minimal mozdom
+pax_kernel +webm"

 PATCH="thunderbird-10.0-patches-0.1"
(Continue reading)

Permalink | Reply | 4 comments |
headers
Sven Vermeulen | 15 May 20:06
Picon
Favicon
Gravatar

SELinux base policy rev 9 in hardened-dev

Hi guys,

I've pushed out rev 9 of the base policies to the hardened-dev overlay. It
includes the following changes:

** 2012-05-15 Revision 9

<no bug>        Introduce named file transition support in policies
		(backport)
<no bug>        Eliminate "*_except_auth_files" expressions through new
		attribute (backport)
<no bug>        Update symbol in clamav_append_log interface (backport)
#411719         Update python scripts to further enhance support #python3
#413065         Allow passwd_t to read default context definitions
#413061         Allow groupadd_t to read default context definitions
#410951         Use /usr/lib and /lib instead of the /usr/lib(64)? and
		similar calls

Wkr,
	Sven Vermeulen
Permalink | Reply | 0 comments |
headers
Francisco Blas Izquierdo Riera (klondike | 13 May 22:31
Picon
Favicon

Gentoo Hardened Meeting 2012-05-16 20:00UTC

Hello,

As usual we will be holding our traditional monthly project meeting the
2012-05-16 at 20:00UTC in the #gentoo-hardened channel in the freenode
network.
You are advised to assist since in this meetings the short time goals of
the project are usually defined and we'd appreciate input regarding them
and positive criticism from any interested parties.
In the meeting also the current status of the project is stated by the
developers so if you want to know how is the project doing you may want
to either be there or read the logs although the logs may take a little
more time to be ready.
Finally if you are planning to contribute the meeting is also a good
place too see which are the issues that need handling in the project.

The agenda planned for the meeting is:
1.0 Toolchain
2.0 Kernel
3.0 Selinux
  3.1 Selinux eclass
4.0 Grsec/PaX
5.0 Profile
6.0 Docs
7.0 Bugs
8.0 Media
9.0 Open floor

Also, attached to the e-mail you will find an event invitation may you
want to add the meeting time to your calendar so you don't forget about it.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stan Sander | 30 Apr 18:10
Favicon

Invalid opcode

This isn't really a hardened issue specifically, but since that's the
profile I'm running and this is the list that I'm already subscribed to,
thought I'd go ahead and post here.  See if one of you folks can offer
some suggestions for me. 

I have a old Pentium 4 machine with a fresh stable amd64 hardened
install that I am planning to use as a dedicated Asterisk server. 
Everything seems fine with one exception.  I cannot unmerge any
packages.  Neither --depclean or -C will work.  They both bomb out as
soon as the 5 second countdown starts.  The message said Invalid
instruction and the syslog indicated it was in time.so  

klogd: emerge[28440] trap invalid opcode ip:2612992f7ac sp:3bbcc5cea60
error:0 in time.so[2612992d000+4000]

Then as I was working on asterisk when I got to the point where I was
configuring voicemail and was trying to record the name from a phone
extension, asterisk crashed after starting the recording.  It will limit
the length of the recording to just a few seconds, so the common factor
here seems to be related to counting seconds.  Here is the message from
syslog about Asterisk.

klogd: asterisk[2794] trap invalid opcode ip:1bd2a5e33a sp:2bb49ccdeb0
error:0 in asterisk[1bd29a3000+202000]

I did some poking around with google and so far haven't come up with
anything too useful.  I ran memtest86+ for around 11 hours and it didn't
come up with any errors.  So, I'm thinking I've got something borked in
my USE flags or system config, but I really don't know what it could
be.  The system seems stable and the problem isn't random.  Anyone have
(Continue reading)

Permalink | Reply | 2 comments |

Gmane