Re: Lassen Sie uns Ihre Finanzen ausweiten

Tin Hat Linux 20081025 released

Hello everyone,

I just wanted to make the list aware that a new release of Tin Hat is
out.  This release did not add new features, but addressed some
bugs/security issues.  The major changes included the kernel upgraded to
hardened 2.6.25-r8, gnome upgraded to 2.22.3 and postfix upgraded to
2.5.5 to address a security issue.

For those unfamiliar with Tin Hat, it is a linux distro derived from
hardened Gentoo which aims to provide a very secure, stable and fast
Desktop environment that lives purely in RAM.

Home page: http://opensource.dyc.edu/tinhat
Downloads: http://opensource.dyc.edu/tinhat-downloads

--Tony Basile

SELinux boot errors - udev/dhcpcd

Hello, 
 I'm trying to install SELinux on a freh Gentoo install and have
followed the guide, but they system will not boot in enforcing mode.

The are numerous messages that say
Unable to exec /lib64/udev/path_id:Permission denied.
The initscripts then get stuck when running DHCP for an address, and
that's as far as I have gotten. I have tried relabeling repeatedly.
Any idea what's going on?
Thanks

I want use bastille..

Hello, what version of bastille work fine with gentoo.2008 I'm trying to install a server with
selinux-hardened profile. I read about Bastille project in
http://www.gentoo.org/proj/en/hardened/ and I want use it in my server, I  installed a version masked in
/usr/portage/profiles/package.mask, but it don't work just like it write there. What I have to do for use bastille?

これも通過する..
Eroz.

Stopping libselinux being linked

Well I've given up on selinux now and I'm trying to just get rid of selinux
and just use a hardened system.

I've change my profile and recompiled the system so none of it is using the
selinux flag.

The problem is that even though the selinux USE flag isn't exabled, packages
like coreutils are still linking into libselinux. So if I remove libselinux
and all the selinux related packages, it breaks a whole load of binaries on
the system, so much so that I can't recompile packages afterwards.

How should I proceed to eradicate selinux from my system? or am I stuck with
the libraries now until I do a full re-install?

Thanks

Matt

Failure when "switching" to hardened-gentoo profile

Hello.

I was trying to make a switch form normal, freshly installed gentoo to
hardened like described in PaX quickstart.
http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml Though, that
guide is missing to inform about when should I boot hardened-sources.
Not sure if after "emerge binutils gcc virtual/libc" or "emerge -e
world", but I got this error, which persists:

============================================================================
*** stack smashing detected ***: cc1 - terminated
cc1: stack smashing attack in function ix86_split_to_parts - terminated
Report to http://bugs.gentoo.org/
i686-pc-linux-gnu-gcc: Internal error: Killed (program cc1)
Please submit a full bug report.
See <URL:http://bugs.gentoo.org/> for instructions.
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/s_catanl.o]
Error 1
make[2]: Leaving directory
`/var/tmp/portage/sys-libs/glibc-2.6.1/work/glibc-2.6.1/math'
make[1]: *** [math/others] Error 2
make[1]: Leaving directory
`/var/tmp/portage/sys-libs/glibc-2.6.1/work/glibc-2.6.1'
make: *** [all] Error 2
 *
 * ERROR: sys-libs/glibc-2.6.1 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_compile
 *             environment, line 3350:  Called eblit-run 'src_compile'
 *             environment, line 1075:  Called eblit-glibc-src_compile
 *       src_compile.eblit, line  181:  Called toolchain-glibc_src_compile
 *       src_compile.eblit, line  122:  Called die
 * The specific snippet of code:
 *              make PARALLELMFLAGS="${MAKEOPTS}" || die "make for
${ABI} failed"
 *  The die message:
 *   make for default failed
 *
 * If you need support, post the topmost build error, and the call
stack if relevant.
 * A complete build log is located at
'/var/tmp/portage/sys-libs/glibc-2.6.1/temp/build.log'.
 * The ebuild environment file is located at
'/var/tmp/portage/sys-libs/glibc-2.6.1/temp/environment'.
============================================================================

Should I really discard my work with normal install (lost
configurations + some hustle) and use hardened stage3? (somehow I
don't believe, I discovered something really "bug")
And one more question: is hardened toolchain built userland going to
work with gentoo-sources?

Thank you...

Autoreply: bastille

bastille

Hello, everybody..
I'm trying to install bastille but it is masked in the profile
/usr/portage/profiles/selinux/2007.0/x86/hardened/ that I'm using, any of you have installing or
use bastille, with good results?

これも通過する..
Eroz.

What if I won't need multilib after couple of years?

Good day to you all!

Will move away from multilib automatically force me to make a fresh install of 
whole system, which is painful? 
Will there be serious performance looses, if I use multilib (is the bulk of 
GNU software running in 64 then)?
And one more transition question: how about move from gentoo to hardened-* 
after gentoo is installed?

/installing fresh system now.../

re:cant compile snort

Several times I have been trying to get snort on my server, it doesnt 
seem to compile.

This program built for i686-pc-linux-gnu
Report bugs to <bug-make@...>
make[4]: *** [all-recursive] Error 1
make[4]: Leaving directory 
`/var/tmp/portage/net-analyzer/snort-2.6.1.3-r1/work/snort-2.6.1.3/src/dynamic-plugins/sf_engine'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory 
`/var/tmp/portage/net-analyzer/snort-2.6.1.3-r1/work/snort-2.6.1.3/src/dynamic-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory 
`/var/tmp/portage/net-analyzer/snort-2.6.1.3-r1/work/snort-2.6.1.3/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory 
`/var/tmp/portage/net-analyzer/snort-2.6.1.3-r1/work/snort-2.6.1.3'
make: *** [all] Error 2
 *
 * ERROR: net-analyzer/snort-2.6.1.3-r1 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_compile
 *             environment, line 2569:  Called die
 * The specific snippet of code:
 *       emake -j1 || die "emake failed"
 *  The die message:
 *   emake failed
 *

#emerge --info
Portage 2.1.4.5 (selinux/2007.0/x86/hardened, gcc-3.4.6, glibc-2.6.1-r0, 
2.6.25-hardened-r8 i686)
=================================================================
System uname: 2.6.25-hardened-r8 i686 Intel(R) Xeon(TM) CPU 2.00GHz
Timestamp of tree: Thu, 16 Oct 2008 00:45:01 +0000
app-shells/bash:     3.2_p33
dev-lang/python:     2.5.2-r7
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.61-r2
sys-devel/automake:  1.10.1-r1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf 
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ 
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo 
/etc/udev/rules.d"
CXXFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-diget buildpkg ccache collision-detect digest distlocks 
loadpolicy metadata-transfer parallel-fetch sandbox selinux sesandbox 
sfperms strict unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="http://gentoo.tiscali.nl/ 
http://mirror.cambrium.nl/pub/os/linux/gentoo/ http://ftp.first-world.info/"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times 
--compress --force --whole-file --delete --stats --timeout=180 
--exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="acpi apache2 berkdb cli cracklib crypt cups dri fortran gdbm gpm 
hardened iconv isdnlog lm_sensors midi mmx mudflap mysql ncurses nfs nls 
nptl nptlonly openmp pam pcre perl php pic pppd python readline 
reflection selinux session spl sse sse2 ssl tcpd unicode vhosts x86 xorg 
zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 
cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel 
intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem 
ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty 
extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul 
mulaw multi null plug rate route share shm softvol" 
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon 
authn_dbm authn_default authn_file authz_dbm authz_default 
authz_groupfile authz_host authz_owner authz_user autoindex cache dav 
dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache 
filter headers include info log_config logio mem_cache mime mime_magic 
negotiation rewrite setenvif speling status unique_id userdir usertrack 
vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" 
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 
lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips 
cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic 
nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb 
tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, 
LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, 
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Any clue, thanks

GR
muhsin

Change the configuration of gcc?

I had problems compiling gnome in my system that uses the profile selinux-hardened, the problem was with
Glimm whose solutions found in http://bugs.gentoo.org/show_bug.cgi?id=217112 # c5 where I was told to
do: 
 gcc-config i686-pc-linux-gnu-3.4.6-hardenednossp & & source / etc / profile & & emerge -1 glibmm
After this glibmm will compile without any problems, but What are changing the configuration of gcc
according to which the problem of glibmm can bring other problems to compile packages?