Simplicity is a form of art...

Switch to Gentoo sources
by Sven Vermeulen, post on Tue 22 August 2017

You've might already read it on the Gentoo news site, the Hardened Linux kernel sources are removed from the tree due to the grsecurity change where the grsecurity Linux kernel patches are no longer provided for free. The decision was made due to supportability and maintainability reasons.

That doesn't mean that users who want to stick with the grsecurity related hardening features are left alone. Agostino Sarubbo has started providing sys-kernel/grsecurity-sources for the users who want to stick with it, as it is based on minipli's unofficial patchset. I seriously hope that the patchset will continue to be maintained and, who knows, even evolve further.

Personally though, I'm switching to the Gentoo sources, and stick with SELinux as one of the protection measures. And with that, I might even start using my NVidia graphics card a bit more, as that one hasn't been touched in several years (I have an Optimus-capable setup with both an Intel integrated graphics card and an NVidia one, but all attempts to use nouveau for the one game I like to play - minecraft - didn't work out that well).

Moving closer to 2.4 stabilization
by Sven Vermeulen, post on Mon 27 April 2015

The SELinux userspace project has released version 2.4 in february this year, after release candidates have been tested for half a year. After its release, we at the Gentoo Hardened project have been working hard to integrate it within Gentoo. This effort has been made a bit more difficult …

Gentoo Hardened august meeting
by Sven Vermeulen, post on Fri 29 August 2014

Another month has passed, so we had another online meeting to discuss the progress within Gentoo Hardened.

Lead elections

The yearly lead elections within Gentoo Hardened were up again. Zorry (Magnus Granberg) was re-elected as project lead so doesn't need to update his LinkedIn profile yet ;-)

Toolchain

blueness (Anthony G …

Some changes under the hood
by Sven Vermeulen, post on Sat 09 August 2014

In between conferences, technical writing jobs and traveling, we did a few changes under the hood for SELinux in Gentoo.

First of all, new policies are bumped and also stabilized (2.20130411-r3 is now stable, 2.20130411-r5 is \~arch). These have a few updates (mergers from upstream), and r5 also …

Gentoo Hardened July meeting
by Sven Vermeulen, post on Fri 01 August 2014

I failed to show up myself (I fell asleep - kids are fun, but deplete your energy source quickly), but that shouldn't prevent me from making a nice write-up of the meeting.

Toolchain

GCC 4.9 gives some issues with kernel compilations and other components. Lately, breakage has been reported with …

Gentoo Hardened, June 2014
by Sven Vermeulen, post on Sun 15 June 2014

Friday the Gentoo Hardened project had its monthly online meeting to talk about the progress within the various tools, responsibilities and subprojects.

On the toolchain part, Zorry mentioned that GCC 4.9 and 4.8.3 will have SSP enabled by default. The hardened profiles will still have a different …

Dropping sesandbox support
by Sven Vermeulen, post on Fri 09 May 2014

A vulnerability in seunshare, part of policycoreutils, came to light recently (through bug 509896). The issue is within libcap-ng actually, but the specific situation in which the vulnerability can be exploited is only available in seunshare.

Now, seunshare is not built by default on Gentoo. You need to define USE …

Online hardened meeting of March
by Sven Vermeulen, post on Thu 27 March 2014

I'm back from the depths of the unknown, so time to pick up my usual write-up of the online Gentoo Hardened meeting.

Toolchain

GCC 4.9 is being worked on, and might be released by end of April (based on the amount of open bugs). You can find the changes …

December hardened meeting
by Sven Vermeulen, post on Fri 20 December 2013

Yesterday evening (UTC, that is) the members of the Gentoo Hardened project filled the #gentoo-hardened IRC channel again - it was time for another online follow-up meeting.

Toolchain

A few patches on the toolchain need to be created to mark SSP as default, but this is just a minor workload.

And …

Gentoo SELinux policy release script
by Sven Vermeulen, post on Wed 11 December 2013

A few months ago, I wrote a small script that aids in the creation of new SELinux policy packages. The script is on the repository itself, in the gentoo/ subdirectory, and is called release-prepare.sh.

The reason for the script is that there are a number of steps to perform …