Switch to Gentoo sources
by Sven Vermeulen, post on Tue 22 August 2017You've might already read it on the Gentoo news site, the Hardened Linux kernel sources are removed from the tree due to the grsecurity change where the grsecurity Linux kernel patches are no longer provided for free. The decision was made due to supportability and maintainability reasons.
That doesn't mean that users who want to stick with the grsecurity related hardening features are left alone. Agostino Sarubbo has started providing sys-kernel/grsecurity-sources for the users who want to stick with it, as it is based on minipli's unofficial patchset. I seriously hope that the patchset will continue to be maintained and, who knows, even evolve further.
Personally though, I'm switching to the Gentoo sources, and stick with SELinux as one of the protection measures. And with that, I might even start using my NVidia graphics card a bit more, as that one hasn't been touched in several years (I have an Optimus-capable setup with both an Intel integrated graphics card and an NVidia one, but all attempts to use nouveau for the one game I like to play - minecraft - didn't work out that well).
Moving closer to 2.4 stabilization
by Sven Vermeulen, post on Mon 27 April 2015The SELinux userspace project has released version 2.4 in february this year, after release candidates have been tested for half a year. After its release, we at the Gentoo Hardened project have been working hard to integrate it within Gentoo. This effort has been made a bit more difficult …
Gentoo Hardened august meeting
by Sven Vermeulen, post on Fri 29 August 2014Another month has passed, so we had another online meeting to discuss the progress within Gentoo Hardened.
Lead elections
The yearly lead elections within Gentoo Hardened were up again. Zorry (Magnus Granberg) was re-elected as project lead so doesn't need to update his LinkedIn profile yet ;-)
Toolchain
blueness (Anthony G …
Some changes under the hood
by Sven Vermeulen, post on Sat 09 August 2014In between conferences, technical writing jobs and traveling, we did a few changes under the hood for SELinux in Gentoo.
First of all, new policies are bumped and also stabilized (2.20130411-r3 is now stable, 2.20130411-r5 is \~arch). These have a few updates (mergers from upstream), and r5 also …
Gentoo Hardened July meeting
by Sven Vermeulen, post on Fri 01 August 2014I failed to show up myself (I fell asleep - kids are fun, but deplete your energy source quickly), but that shouldn't prevent me from making a nice write-up of the meeting.
Toolchain
GCC 4.9 gives some issues with kernel compilations and other components. Lately, breakage has been reported with …
Gentoo Hardened, June 2014
by Sven Vermeulen, post on Sun 15 June 2014Friday the Gentoo Hardened project had its monthly online meeting to talk about the progress within the various tools, responsibilities and subprojects.
On the toolchain part, Zorry mentioned that GCC 4.9 and 4.8.3 will have SSP enabled by default. The hardened profiles will still have a different …
Dropping sesandbox support
by Sven Vermeulen, post on Fri 09 May 2014A vulnerability in
seunshare,
part of policycoreutils
, came to light recently (through bug
509896). The issue is
within libcap-ng
actually, but the specific situation in which the
vulnerability can be exploited is only available in seunshare
.
Now, seunshare
is not built by default on Gentoo. You need to define
USE …
Online hardened meeting of March
by Sven Vermeulen, post on Thu 27 March 2014I'm back from the depths of the unknown, so time to pick up my usual write-up of the online Gentoo Hardened meeting.
Toolchain
GCC 4.9 is being worked on, and might be released by end of April (based on the amount of open bugs). You can find the changes …
December hardened meeting
by Sven Vermeulen, post on Fri 20 December 2013Yesterday evening (UTC, that is) the members of the Gentoo Hardened project filled the #gentoo-hardened IRC channel again - it was time for another online follow-up meeting.
Toolchain
A few patches on the toolchain need to be created to mark SSP as default, but this is just a minor workload.
And …
Gentoo SELinux policy release script
by Sven Vermeulen, post on Wed 11 December 2013A few months ago, I wrote a small script that aids in the creation of
new SELinux policy packages. The script is on the
repository
itself, in the gentoo/
subdirectory, and is called
release-prepare.sh
.
The reason for the script is that there are a number of steps to perform …