[gentoo-hardened] gcc-config

[gentoo-hardened] gcc-config

[Albert Lash]

Hello,

I am running gentoo-hardened kernel 2.6.11-r15 on an amd64 system. I have
followed the convert howto and found it very straightforward and clear.

However, I noticed my list of deps was rather large during a recent emerge
pretend and so I checked my setup and found SELinux to be not enabled -

!!!SELinux not enabled:...

So I checked my profile, and it was not the hardened profile! I updated
the profile, and reloaded the profile, and so now when I run sestatus it
gives me the desired response:

sestatus
SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           permissive
Policy version:         18

Policy booleans:
secure_mode             inactive
ssh_sysadm_login        inactive
user_ping               inactive

However, when I run gcc-config -l, I am running the vanilla gcc-3.4.4. I
searched for information on whether I need to be using the hardened and
can't find much. Do I need to enabled the hardened compiler, and
re-compile everything under the new selinux profile and policy?

Thank you,

Alby Lash

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] gcc-config

[Albert Lash]

Hello again,

I jumped the gun and attempted to reload the toolchain after changing the
gcc profile to gcc-3.4.4-r1-hardened. I got through
binutils and gcc, then glibc fails, saying it explicity requires SELInux.

Strange thing happened to my gcc profiles too. Running gcc-config shows 5
choices, only gcc-3.4.4-hardened is gone, replaced by gcc-3.4.4-vanilla at
the end. This sort of makes sense.

Currently I am again compiling gcc, hoping that it will do something that
will make glibc compile OK. I selected gcc-3.4.4-hardened-nopie to see if
that helps.

Does

gcc-3.4.4-hardened-nopiessp mean that neither pie or ssp will be
installed, or only ssp? I searched around for an explanation of these
profiles but found none. Might be a good idea for the docs.

Alby

On Sat, 24 Sep 2005, Albert Lash wrote:

> Hello,
>
> I am running gentoo-hardened kernel 2.6.11-r15 on an amd64 system. I have
> followed the convert howto and found it very straightforward and clear.
>
> However, I noticed my list of deps was rather large during a recent emerge
> pretend and so I checked my setup and found SELinux to be not enabled -
>
> !!!SELinux not enabled:...
>
> So I checked my profile, and it was not the hardened profile! I updated
> the profile, and reloaded the profile, and so now when I run sestatus it
> gives me the desired response:
>
> sestatus
> SELinux status:         enabled
> SELinuxfs mount:        /selinux
> Current mode:           permissive
> Policy version:         18
>
> Policy booleans:
> secure_mode             inactive
> ssh_sysadm_login        inactive
> user_ping               inactive
>
> However, when I run gcc-config -l, I am running the vanilla gcc-3.4.4. I
> searched for information on whether I need to be using the hardened and
> can't find much. Do I need to enabled the hardened compiler, and
> re-compile everything under the new selinux profile and policy?
>
> Thank you,
>
> Alby Lash
>
> --
> gentoo-hardened@gentoo.org mailing list
>
-- 
gentoo-hardened@gentoo.org mailing list

[gentoo-hardened] gcc-hardened

[Albert Lash]

I'm getting the feeling that even if you run SElinux, you do not have to
use the hardened gcc compiler. Can someone explain what this compiler is
used for and when to use it?

Thanks,

Alby

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] gcc-hardened

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 2317 bytes --]

On Sun, 2005-09-25 at 07:44 -0400, Albert Lash wrote:
> I'm getting the feeling that even if you run SElinux, you do not have to
> use the hardened gcc compiler. Can someone explain what this compiler is
> used for and when to use it?

The hardened compiler strengthens the integrity of a program, which
means its harder to break the program and make it do unintended things,
for example by exploiting a buffer overflow.  The compiler uses stack
smashing protection and address space layout randomization (ASLR) to
accomplish this.  To get the maximum effect, you also want to use PaX to
make ASLR work, and also get non-executable pages enforcement.

SELinux provides assurance, preventing programs from doing things
unintended; anything that isn't explicitly allowed is denied.  This is
limited to accesses (not correctness of data), so if someone compromises
a service, but doesn't do anything disallowed, SELinux (or any other
access control system for that matter) won't stop it.  For example, if
someone were to compromise a mail server daemon with the intent of
reading secret emails in the mail spool, SELinux won't stop it, since
the daemon has to read and write the mail spool as part of its regular
function.

SELinux can also provide process integrity protections thanks to some
enhancements merged in recent kernel releases, such as preventing
execution of memory, stack, heap, etc.  There is a technical argument on
whether this is sufficient, (implementation-wise, in comparison to PaX),
but I'm not going to get into it.

When to use the hardened compiler?  In general, it would be best to at
least use it on whatever you're running which would seem prone to being
attacked.  For completeness, you should use it on all of your system,
since that will cover libraries and anything else you wouldn't
anticipate as an attack vector.

The strongest solution would use both a hardened compiler, a mandatory
access control system, and PaX.  This is layered security, to try to get
as complete protection as possible.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-hardened] SELinux and Apache - no pid file?

[Albert Lash]

Hi all,

I'm running an SELinux base system (followed the AMD64 howto for changing
a normal Gentoo system to a SELinux Gentoo system) with Apache2.

I keep the files accessed by Apache in a different directory than those
prescribed by the file contexts, so I added some regexp filters to
properly label my files, which seems to have worked, and I can access the
files via Apache without getting denials in /var/log/messages. (I am
running permissive mode right now).

The problem I am experiencing is when I restart apache. I do this as root,
su'd from a user with SELinux role staff_r and sysadm_r. I first login via
ssh as a normal user, then I newrole -r sysadm_r, then I su, and then I
/etc/init.d/apache2 restart. I get a warning that there is not pid. So
then I have to kill the process identified by ps -A, and then
/etc/init.d/apache start. (Whenever I run an init script, I have to
authenticate as the original user who has the sysadm_r role). The server
starts fine, but seems to have a delay before I can access the server via
a browser. Even when the server starts responding to browser requests, no
pid file is written to /var/run. There aren't even any denials in the
/var/log/messages files, which still wouldnt' prevent a pid file from
getting written, as I am in permissive mode.

I have also tried the SELinux run_init command before the ini script with
the same results.

Is this standard behavior for Apache2 on SELinux? I doubt it since I am
running another non-SELinux server which creates the apache.pid file
every time. Any recommendations on how to get Apache starting,
restarting, and stopping properly?

Thank you!

Albert
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux and Apache - no pid file?

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1655 bytes --]

On Thu, 2005-10-06 at 14:18 -0400, Albert Lash wrote:
> The problem I am experiencing is when I restart apache. I do this as root,
> su'd from a user with SELinux role staff_r and sysadm_r. I first login via
> ssh as a normal user, then I newrole -r sysadm_r, then I su, and then I
> /etc/init.d/apache2 restart. I get a warning that there is not pid. So
> then I have to kill the process identified by ps -A, and then
> /etc/init.d/apache start. (Whenever I run an init script, I have to
> authenticate as the original user who has the sysadm_r role). The server
> starts fine, but seems to have a delay before I can access the server via
> a browser. Even when the server starts responding to browser requests, no
> pid file is written to /var/run. There aren't even any denials in the
> /var/log/messages files, which still wouldnt' prevent a pid file from
> getting written, as I am in permissive mode.

If this doesn't work in permissive, then it points to something not
SELinux related being wrong.  I suggest looking at the apache logs for
errors, and also check DAC perms.

> I have also tried the SELinux run_init command before the ini script with
> the same results.

This won't help because Gentoo already has run_init integrated into the
init script system.

> Is this standard behavior for Apache2 on SELinux?

No, I can't reproduce it on my enforcing systems.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] SELinux and Apache - no pid file?

[Travis Fraser]

On Thu, 2005-10-06 at 22:00 -0400, Chris PeBenito wrote:
> On Thu, 2005-10-06 at 14:18 -0400, Albert Lash wrote:
> > The problem I am experiencing is when I restart apache. I do this as root,
> > su'd from a user with SELinux role staff_r and sysadm_r. I first login via
> > ssh as a normal user, then I newrole -r sysadm_r, then I su, and then I
> > /etc/init.d/apache2 restart. I get a warning that there is not pid. So
> > then I have to kill the process identified by ps -A, and then
> > /etc/init.d/apache start. (Whenever I run an init script, I have to
> > authenticate as the original user who has the sysadm_r role). The server
> > starts fine, but seems to have a delay before I can access the server via
> > a browser. Even when the server starts responding to browser requests, no
> > pid file is written to /var/run. There aren't even any denials in the
> > /var/log/messages files, which still wouldnt' prevent a pid file from
> > getting written, as I am in permissive mode.
> 
It seems to have something to do with entropy?. See this thread:
http://forums.gentoo.org/viewtopic-t-384660-highlight-apache+pid.html

specifically this part:
MY_BUILTINS="--with-devrandom=/dev/urandom" emerge apache

This solved the exact problem for me even though I had no problems on
other servers (no selinux on any of them though).

> If this doesn't work in permissive, then it points to something not
> SELinux related being wrong.  I suggest looking at the apache logs for
> errors, and also check DAC perms.
> 
> > I have also tried the SELinux run_init command before the ini script with
> > the same results.
> 
> This won't help because Gentoo already has run_init integrated into the
> init script system.
> 
> > Is this standard behavior for Apache2 on SELinux?
> 
> No, I can't reproduce it on my enforcing systems.
> 
-- 
Travis Fraser <travis@snowpatch.net>

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux and Apache - no pid file?

[Albert Lash]

Way to go Travis thank you for the link and advice, this fixed my issue!
As a follow up, the compilation gave me a warning about lazy bindings, and
suggested I compile with these additional options:

 CFLAGS="-Wl,-z,now"

I did so and it compiled OK.

Cheers!

Albert

On Thu, 6 Oct 2005, Travis Fraser wrote:

> On Thu, 2005-10-06 at 22:00 -0400, Chris PeBenito wrote:
> > On Thu, 2005-10-06 at 14:18 -0400, Albert Lash wrote:
> > > The problem I am experiencing is when I restart apache. I do this as root,
> > > su'd from a user with SELinux role staff_r and sysadm_r. I first login via
> > > ssh as a normal user, then I newrole -r sysadm_r, then I su, and then I
> > > /etc/init.d/apache2 restart. I get a warning that there is not pid. So
> > > then I have to kill the process identified by ps -A, and then
> > > /etc/init.d/apache start. (Whenever I run an init script, I have to
> > > authenticate as the original user who has the sysadm_r role). The server
> > > starts fine, but seems to have a delay before I can access the server via
> > > a browser. Even when the server starts responding to browser requests, no
> > > pid file is written to /var/run. There aren't even any denials in the
> > > /var/log/messages files, which still wouldnt' prevent a pid file from
> > > getting written, as I am in permissive mode.
> >
> It seems to have something to do with entropy?. See this thread:
> http://forums.gentoo.org/viewtopic-t-384660-highlight-apache+pid.html
>
> specifically this part:
> MY_BUILTINS="--with-devrandom=/dev/urandom" emerge apache
>
> This solved the exact problem for me even though I had no problems on
> other servers (no selinux on any of them though).
>
> > If this doesn't work in permissive, then it points to something not
> > SELinux related being wrong.  I suggest looking at the apache logs for
> > errors, and also check DAC perms.
> >
> > > I have also tried the SELinux run_init command before the ini script with
> > > the same results.
> >
> > This won't help because Gentoo already has run_init integrated into the
> > init script system.
> >
> > > Is this standard behavior for Apache2 on SELinux?
> >
> > No, I can't reproduce it on my enforcing systems.
> >
> --
> Travis Fraser <travis@snowpatch.net>
>
> --
> gentoo-hardened@gentoo.org mailing list
>
-- 
gentoo-hardened@gentoo.org mailing list

[gentoo-hardened] AMD64 sys-libs/ss

[Albert Lash]

Hi Chris,

I just emerge synced and am again getting an error when trying to emerge
ss-1.38:

/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.4/../../../../x86_64-pc-linux-gnu/bin/ld:
cannot find /lib64/libcom_err.so

This has to do with this bug:
http://bugs.gentoo.org/show_bug.cgi?id=107177

Do I need to do something to my profile to update it?

Thanks,

Al
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] AMD64 sys-libs/ss

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 749 bytes --]

On Sat, 2005-10-15 at 11:40 -0400, Albert Lash wrote:
> Hi Chris,
> 
> I just emerge synced and am again getting an error when trying to emerge
> ss-1.38:
> 
> /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.4/../../../../x86_64-pc-linux-gnu/bin/ld:
> cannot find /lib64/libcom_err.so
> 
> This has to do with this bug:
> http://bugs.gentoo.org/show_bug.cgi?id=107177

Ok, I reproduced this on my system that had the problem above.  I
remerged sys-libs/com_err, and then ss was able to merge.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]