From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1MaEYK-0007aD-Jf for garchives@archives.gentoo.org; Sun, 09 Aug 2009 19:59:36 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 29D7BE0431; Sun, 9 Aug 2009 19:59:35 +0000 (UTC) Received: from mail-fx0-f218.google.com (mail-fx0-f218.google.com [209.85.220.218]) by pigeon.gentoo.org (Postfix) with ESMTP id D9875E0431 for ; Sun, 9 Aug 2009 19:59:34 +0000 (UTC) Received: by fxm18 with SMTP id 18so2593370fxm.14 for ; Sun, 09 Aug 2009 12:59:34 -0700 (PDT) Received: by 10.102.253.15 with SMTP id a15mr1527971mui.50.1249847974297; Sun, 09 Aug 2009 12:59:34 -0700 (PDT) Received: from mpismpirikos.tolises.homeunix.org (dsl-88-218-77-114.customers.vivodi.gr [88.218.77.114]) by mx.google.com with ESMTPS id g1sm16185235muf.16.2009.08.09.12.59.33 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 09 Aug 2009 12:59:33 -0700 (PDT) Date: Sun, 9 Aug 2009 22:59:29 +0300 From: Yiannis To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] virtualization with gentoo hardened Message-ID: <20090809225929.3f93dca0@mpismpirikos.tolises.homeunix.org> In-Reply-To: <1249845901.4090.12.camel@karmic> References: <20090808213543.260ad68f@mpismpirikos.tolises.homeunix.org> <4A7DC67A.3070006@opensource.dyc.edu> <20090808215531.47a1e2a7@mpismpirikos.tolises.homeunix.org> <1249845901.4090.12.camel@karmic> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: 1331c57e-4927-479e-b7ac-173417ae97af X-Archives-Hash: f6913493d305600cf630f77c01696b6e On Sun, 09 Aug 2009 15:25:01 -0400 basile wrote: > On Sat, 2009-08-08 at 21:55 +0300, Yiannis wrote: > > On Sat, 08 Aug 2009 14:39:54 -0400 > > basile wrote: > > > > > Yiannis wrote: > > > > Hello, > > > > > > > > I am running hardened gentoo with the toolchain provided by the > > > > xake-toolchain overlay. I am looking for a way to use > > > > virtualization with my current config. I am aware of > > > > linux-vserver project which has grsecurity integration, but as > > > > far as I remember does not play well with rbac. Anyone that has > > > > a similar working config? > > > > > > > > Regards > > > > > > > > Yiannis > > > > > > > I run both i686 and amd64 as xen guests with the xake-toolchain > > > overlay and kernel hardened with grsec. Is this what you want? > > > > > > > If host's kernel is hardened then yes this is the case. Are you > > running pax+grsec in both host and guest os? > > No sorry, neither the kernel nor toolchain of the host are hardened. > I've never tried to harden a xen host, and I'm not sure what the > issues would be. > > So, if I get it right you are using xen-sources as a host and hardened-sources(pax+grsec) on guest. If it is the case do you know if it is possible to run this setup on a machine without vmx? I see that all the ebuilds from the main tree are masked. Are you using xen-sources from the overlay? How secure is this setup considered? I mean having the host os(xen-souces) only for running some instances of hardened-gentoo as guests is it the same(almost?) as running them on seperate physical pc's?