[gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel

[gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel

[Kevin]

Hi Folks-

I've read a little discussion in the archive on this subject (such as
http://www.mail-archive.com/gentoo-hardened@lists.gentoo.org/msg00338.html)
but not much and not recently.

I've also read a little discussion in non-gentoo forums:
http://linux.slashdot.org/article.pl?sid=05/11/01/0444221

As I try to do this, it's just dawned on me that by going strictly with
gentoo packages, I can have a kernel running from either:

xen-sources (which patches the kernel for xen but not for
SELinux/PaX/GRSecurity)

or

hardened-sources (which patches the kernel for SELinux/PaX/GRSecurity
but not for xen)

If I wanted all four of the Xen/SELinux/PaX/GRSecurity patch sets
incorporated into a kernel, any recommendations for doing this?

Ideas:

1) start with xen-sources and apply the hardened patches by hand (seems
like it might be daunting)

2) start with hardened-sources and apply the xen patches by hand (also
seems daunting though maybe a tad less so)

3) start with vanilla-sources and apply gentoo patches, hardened
patches, and xen patches by hand (and any others I think I need)

4) don't even bother with gentoo kernel packages and just handle the
kernel as a software package that's not in portage and get the vanilla
kernel tarball and desired patches and do the patching myself by hand

Has anyone done anything like this?  Is it silly to even think that the
hand-applied patches will apply without rejects?

Or should I be doing a strictly Xen kernel as the host kernel and if I
want SELinux/PaX/GRSecurity, put that in a guest kernel?  But doesn't
the guest kernel also have to be patched for xen?  In which case the
original question of getting a kernel patched with all four still applies.

I'm so confused....

Thanks.

-Kevin
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel

[Alex Efros]

Hi!

On Sun, May 07, 2006 at 12:28:40AM -0400, Kevin wrote:
> If I wanted all four of the Xen/SELinux/PaX/GRSecurity patch sets
> incorporated into a kernel, any recommendations for doing this?

AFAIK hardened-sources already contain SELinux+PaX+GRSecurity.

-- 
			WBR, Alex.
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel

[Brad Plant]

> Has anyone done anything like this?  Is it silly to even think that the
> hand-applied patches will apply without rejects?

I haven't tried myself, but I have read in a few spots that it can't be
done.

> Or should I be doing a strictly Xen kernel as the host kernel and if I
> want SELinux/PaX/GRSecurity, put that in a guest kernel?  But doesn't
> the guest kernel also have to be patched for xen?  In which case the
> original question of getting a kernel patched with all four still applies.

If you use a new Intel processor with VT support or an AMD processor
with Pacifica then you can run unmodified guest kernels. You could then
patch your guest kernel with SELinux/PaX/GRSecurity however you pleased.

There is possibly a performance hit involved with using the new
virtualisation features in the CPU as apposed to porting the guest OS to
run under Xen although I am not aware how much. Does anyone else know?

I would certainly like to be able to run PaX, GRSecurity and Xen together.

Cheers,

Brad
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 623 bytes --]

On Sun, 2006-05-07 at 00:28 -0400, Kevin wrote:
> xen-sources (which patches the kernel for xen but not for
> SELinux/PaX/GRSecurity)
> 
> or
> 
> hardened-sources (which patches the kernel for SELinux/PaX/GRSecurity
> but not for xen)

Just so you know, SELinux is available in all 2.6 kernels, since it is
integrated upstream (i.e. its in vanilla sources).

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel

[Kevin]

Chris PeBenito wrote:
> On Sun, 2006-05-07 at 00:28 -0400, Kevin wrote:
>> xen-sources (which patches the kernel for xen but not for
>> SELinux/PaX/GRSecurity)
>>
>> or
>>
>> hardened-sources (which patches the kernel for SELinux/PaX/GRSecurity
>> but not for xen)
> 
> Just so you know, SELinux is available in all 2.6 kernels, since it is
> integrated upstream (i.e. its in vanilla sources).
> 

Huh!

I didn't realize that.  Thanks for pointing it out.

Strangely, make menuconfig in a freshly installed xen-sources tree
doesn't show me any SELinux configuration options, so I just assumed
SELinux wasn't there, but after a make mrproper and make menuconfig, I
do now see the SELinux configuration options.  But perhaps even more
strangely, now (after make mrproper), the XEN configuration options are
gone from make menuconfig.  What's going on here?

-Kevin

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel

[Rumen Yotov]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin wrote:
> Chris PeBenito wrote:
>> On Sun, 2006-05-07 at 00:28 -0400, Kevin wrote:
>>> xen-sources (which patches the kernel for xen but not for
>>> SELinux/PaX/GRSecurity)
>>>
>>> or
>>>
>>> hardened-sources (which patches the kernel for SELinux/PaX/GRSecurity
>>> but not for xen)
>> Just so you know, SELinux is available in all 2.6 kernels, since it is
>> integrated upstream (i.e. its in vanilla sources).
>>
> 
> Huh!
> 
> I didn't realize that.  Thanks for pointing it out.
> 
> Strangely, make menuconfig in a freshly installed xen-sources tree
> doesn't show me any SELinux configuration options, so I just assumed
> SELinux wasn't there, but after a make mrproper and make menuconfig, I
> do now see the SELinux configuration options.  But perhaps even more
> strangely, now (after make mrproper), the XEN configuration options are
> gone from make menuconfig.  What's going on here?
> 
> -Kevin
> 
Hi,
Think that Xen is hiding all other options, leaving only those that work
with it (or the devs choose to leave as needed/appropriate).
Not very much experience with Xen though. This for a Xen core kernel.
HTH.Rumen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3-ecc0.1.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEXjgZNbtuTtsWD3wRAkP8AJwLinTvjYPnxhdG1PSMK85SMmZuSgCeLb8T
MxsJuRUb7ttZg4fuJgBoL18=
=iknG
-----END PGP SIGNATURE-----
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel

[Peter S. Mazinger]

On Sun, 7 May 2006, Alex Efros wrote:

> Hi!
> 
> On Sun, May 07, 2006 at 12:28:40AM -0400, Kevin wrote:
> > If I wanted all four of the Xen/SELinux/PaX/GRSecurity patch sets
> > incorporated into a kernel, any recommendations for doing this?
> 
> AFAIK hardened-sources already contain SELinux+PaX+GRSecurity.

I would say hardened-sources have either SELinux-PaX or PaX/GRSecurity

Peter

-- 
Peter S. Mazinger <ps dot m at gmx dot net>           ID: 0xA5F059F2
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08  BB6E C389 975E A5F0 59F2

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel

[Panagiotis Atmatzidis]

Peter S. Mazinger wrote:
> On Sun, 7 May 2006, Alex Efros wrote:
> 
>> Hi!
>>
>> On Sun, May 07, 2006 at 12:28:40AM -0400, Kevin wrote:
>>> If I wanted all four of the Xen/SELinux/PaX/GRSecurity patch sets
>>> incorporated into a kernel, any recommendations for doing this?
>> AFAIK hardened-sources already contain SELinux+PaX+GRSecurity.
> 
> I would say hardened-sources have either SELinux-PaX or PaX/GRSecurity
> 
> Peter
> 

Yes and it's a good practice to keep the security models separated even 
on ml posts. I was a bit confused myself at the beginning and I found 
many users who are confused even though they use one of the security 
models mentioned above. Many people think that they can use rsbac + 
grsecurity + SELinux all together, which in theory[1] is possible but it 
makes no sense and turns the box into something unusable.
So, be nice with newcomers and try not to confuse them :-)


[1] A guy told me that he installed all the 3 sec models in his test box 
once upon a time.
-- 
gentoo-hardened@gentoo.org mailing list