You've might already read it on the Gentoo news site, the Hardened Linux kernel sources are removed from the tree due to the grsecurity change where the grsecurity Linux kernel patches are no longer provided for free. The decision was made due to supportability and maintainability reasons.
That doesn't mean that users who want to stick with the grsecurity related hardening features are left alone. Agostino Sarubbo has started providing sys-kernel/grsecurity-sources for the users who want to stick with it, as it is based on minipli's unofficial patchset. I seriously hope that the patchset will continue to be maintained and, who knows, even evolve further.
Personally though, I'm switching to the Gentoo sources, and stick with SELinux as one of the protection measures. And with that, I might even start using my NVidia graphics card a bit more, as that one hasn't been touched in several years (I have an Optimus-capable setup with both an Intel integrated graphics card and an NVidia one, but all attempts to use nouveau for the one game I like to play - minecraft - didn't work out that well).
The SELinux userspace project has released version 2.4 in february this year, after release candidates have been tested for half a year. After its release, we at the Gentoo Hardened project have been working hard to integrate it within Gentoo. This effort has been made a bit more difficult …
Another month has passed, so we had another online meeting to discuss the progress within Gentoo Hardened.
The yearly lead elections within Gentoo Hardened were up again. Zorry (Magnus Granberg) was re-elected as project lead so doesn't need to update his LinkedIn profile yet ;-)
blueness (Anthony G …
In between conferences, technical writing jobs and traveling, we did a few changes under the hood for SELinux in Gentoo.
First of all, new policies are bumped and also stabilized (2.20130411-r3 is now stable, 2.20130411-r5 is \~arch). These have a few updates (mergers from upstream), and r5 also …
I failed to show up myself (I fell asleep - kids are fun, but deplete your energy source quickly), but that shouldn't prevent me from making a nice write-up of the meeting.
GCC 4.9 gives some issues with kernel compilations and other components. Lately, breakage has been reported with …
Friday the Gentoo Hardened project had its monthly online meeting to talk about the progress within the various tools, responsibilities and subprojects.
On the toolchain part, Zorry mentioned that GCC 4.9 and 4.8.3 will have SSP enabled by default. The hardened profiles will still have a different …
A vulnerability in
policycoreutils, came to light recently (through bug
509896). The issue is
libcap-ng actually, but the specific situation in which the
vulnerability can be exploited is only available in
seunshare is not built by default on Gentoo. You need to define
I'm back from the depths of the unknown, so time to pick up my usual write-up of the online Gentoo Hardened meeting.
GCC 4.9 is being worked on, and might be released by end of April (based on the amount of open bugs). You can find the changes …
Yesterday evening (UTC, that is) the members of the Gentoo Hardened project filled the #gentoo-hardened IRC channel again - it was time for another online follow-up meeting.
A few patches on the toolchain need to be created to mark SSP as default, but this is just a minor workload.
A few months ago, I wrote a small script that aids in the creation of
new SELinux policy packages. The script is on the
itself, in the
gentoo/ subdirectory, and is called
The reason for the script is that there are a number of steps to perform …