* [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel
@ 2006-05-07 4:28 Kevin
2006-05-07 4:39 ` Alex Efros
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Kevin @ 2006-05-07 4:28 UTC (permalink / raw
To: gentoo-hardened
Hi Folks-
I've read a little discussion in the archive on this subject (such as
http://www.mail-archive.com/gentoo-hardened@lists.gentoo.org/msg00338.html)
but not much and not recently.
I've also read a little discussion in non-gentoo forums:
http://linux.slashdot.org/article.pl?sid=05/11/01/0444221
As I try to do this, it's just dawned on me that by going strictly with
gentoo packages, I can have a kernel running from either:
xen-sources (which patches the kernel for xen but not for
SELinux/PaX/GRSecurity)
or
hardened-sources (which patches the kernel for SELinux/PaX/GRSecurity
but not for xen)
If I wanted all four of the Xen/SELinux/PaX/GRSecurity patch sets
incorporated into a kernel, any recommendations for doing this?
Ideas:
1) start with xen-sources and apply the hardened patches by hand (seems
like it might be daunting)
2) start with hardened-sources and apply the xen patches by hand (also
seems daunting though maybe a tad less so)
3) start with vanilla-sources and apply gentoo patches, hardened
patches, and xen patches by hand (and any others I think I need)
4) don't even bother with gentoo kernel packages and just handle the
kernel as a software package that's not in portage and get the vanilla
kernel tarball and desired patches and do the patching myself by hand
Has anyone done anything like this? Is it silly to even think that the
hand-applied patches will apply without rejects?
Or should I be doing a strictly Xen kernel as the host kernel and if I
want SELinux/PaX/GRSecurity, put that in a guest kernel? But doesn't
the guest kernel also have to be patched for xen? In which case the
original question of getting a kernel patched with all four still applies.
I'm so confused....
Thanks.
-Kevin
--
gentoo-hardened@gentoo.org mailing list
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel
2006-05-07 4:28 [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel Kevin
@ 2006-05-07 4:39 ` Alex Efros
2006-05-13 20:22 ` Peter S. Mazinger
2006-05-07 5:28 ` Brad Plant
2006-05-07 13:40 ` Chris PeBenito
2 siblings, 1 reply; 8+ messages in thread
From: Alex Efros @ 2006-05-07 4:39 UTC (permalink / raw
To: gentoo-hardened
Hi!
On Sun, May 07, 2006 at 12:28:40AM -0400, Kevin wrote:
> If I wanted all four of the Xen/SELinux/PaX/GRSecurity patch sets
> incorporated into a kernel, any recommendations for doing this?
AFAIK hardened-sources already contain SELinux+PaX+GRSecurity.
--
WBR, Alex.
--
gentoo-hardened@gentoo.org mailing list
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel
2006-05-07 4:39 ` Alex Efros
@ 2006-05-13 20:22 ` Peter S. Mazinger
2006-05-14 11:27 ` Panagiotis Atmatzidis
0 siblings, 1 reply; 8+ messages in thread
From: Peter S. Mazinger @ 2006-05-13 20:22 UTC (permalink / raw
To: gentoo-hardened
On Sun, 7 May 2006, Alex Efros wrote:
> Hi!
>
> On Sun, May 07, 2006 at 12:28:40AM -0400, Kevin wrote:
> > If I wanted all four of the Xen/SELinux/PaX/GRSecurity patch sets
> > incorporated into a kernel, any recommendations for doing this?
>
> AFAIK hardened-sources already contain SELinux+PaX+GRSecurity.
I would say hardened-sources have either SELinux-PaX or PaX/GRSecurity
Peter
--
Peter S. Mazinger <ps dot m at gmx dot net> ID: 0xA5F059F2
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2
--
gentoo-hardened@gentoo.org mailing list
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel
2006-05-13 20:22 ` Peter S. Mazinger
@ 2006-05-14 11:27 ` Panagiotis Atmatzidis
0 siblings, 0 replies; 8+ messages in thread
From: Panagiotis Atmatzidis @ 2006-05-14 11:27 UTC (permalink / raw
To: gentoo-hardened
Peter S. Mazinger wrote:
> On Sun, 7 May 2006, Alex Efros wrote:
>
>> Hi!
>>
>> On Sun, May 07, 2006 at 12:28:40AM -0400, Kevin wrote:
>>> If I wanted all four of the Xen/SELinux/PaX/GRSecurity patch sets
>>> incorporated into a kernel, any recommendations for doing this?
>> AFAIK hardened-sources already contain SELinux+PaX+GRSecurity.
>
> I would say hardened-sources have either SELinux-PaX or PaX/GRSecurity
>
> Peter
>
Yes and it's a good practice to keep the security models separated even
on ml posts. I was a bit confused myself at the beginning and I found
many users who are confused even though they use one of the security
models mentioned above. Many people think that they can use rsbac +
grsecurity + SELinux all together, which in theory[1] is possible but it
makes no sense and turns the box into something unusable.
So, be nice with newcomers and try not to confuse them :-)
[1] A guy told me that he installed all the 3 sec models in his test box
once upon a time.
--
gentoo-hardened@gentoo.org mailing list
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel
2006-05-07 4:28 [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel Kevin
2006-05-07 4:39 ` Alex Efros
@ 2006-05-07 5:28 ` Brad Plant
2006-05-07 13:40 ` Chris PeBenito
2 siblings, 0 replies; 8+ messages in thread
From: Brad Plant @ 2006-05-07 5:28 UTC (permalink / raw
To: gentoo-hardened
> Has anyone done anything like this? Is it silly to even think that the
> hand-applied patches will apply without rejects?
I haven't tried myself, but I have read in a few spots that it can't be
done.
> Or should I be doing a strictly Xen kernel as the host kernel and if I
> want SELinux/PaX/GRSecurity, put that in a guest kernel? But doesn't
> the guest kernel also have to be patched for xen? In which case the
> original question of getting a kernel patched with all four still applies.
If you use a new Intel processor with VT support or an AMD processor
with Pacifica then you can run unmodified guest kernels. You could then
patch your guest kernel with SELinux/PaX/GRSecurity however you pleased.
There is possibly a performance hit involved with using the new
virtualisation features in the CPU as apposed to porting the guest OS to
run under Xen although I am not aware how much. Does anyone else know?
I would certainly like to be able to run PaX, GRSecurity and Xen together.
Cheers,
Brad
--
gentoo-hardened@gentoo.org mailing list
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel
2006-05-07 4:28 [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel Kevin
2006-05-07 4:39 ` Alex Efros
2006-05-07 5:28 ` Brad Plant
@ 2006-05-07 13:40 ` Chris PeBenito
2006-05-07 17:48 ` Kevin
2 siblings, 1 reply; 8+ messages in thread
From: Chris PeBenito @ 2006-05-07 13:40 UTC (permalink / raw
To: gentoo-hardened
[-- Attachment #1: Type: text/plain, Size: 623 bytes --]
On Sun, 2006-05-07 at 00:28 -0400, Kevin wrote:
> xen-sources (which patches the kernel for xen but not for
> SELinux/PaX/GRSecurity)
>
> or
>
> hardened-sources (which patches the kernel for SELinux/PaX/GRSecurity
> but not for xen)
Just so you know, SELinux is available in all 2.6 kernels, since it is
integrated upstream (i.e. its in vanilla sources).
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 191 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel
2006-05-07 13:40 ` Chris PeBenito
@ 2006-05-07 17:48 ` Kevin
2006-05-07 18:10 ` Rumen Yotov
0 siblings, 1 reply; 8+ messages in thread
From: Kevin @ 2006-05-07 17:48 UTC (permalink / raw
To: gentoo-hardened
Chris PeBenito wrote:
> On Sun, 2006-05-07 at 00:28 -0400, Kevin wrote:
>> xen-sources (which patches the kernel for xen but not for
>> SELinux/PaX/GRSecurity)
>>
>> or
>>
>> hardened-sources (which patches the kernel for SELinux/PaX/GRSecurity
>> but not for xen)
>
> Just so you know, SELinux is available in all 2.6 kernels, since it is
> integrated upstream (i.e. its in vanilla sources).
>
Huh!
I didn't realize that. Thanks for pointing it out.
Strangely, make menuconfig in a freshly installed xen-sources tree
doesn't show me any SELinux configuration options, so I just assumed
SELinux wasn't there, but after a make mrproper and make menuconfig, I
do now see the SELinux configuration options. But perhaps even more
strangely, now (after make mrproper), the XEN configuration options are
gone from make menuconfig. What's going on here?
-Kevin
--
gentoo-hardened@gentoo.org mailing list
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel
2006-05-07 17:48 ` Kevin
@ 2006-05-07 18:10 ` Rumen Yotov
0 siblings, 0 replies; 8+ messages in thread
From: Rumen Yotov @ 2006-05-07 18:10 UTC (permalink / raw
To: gentoo-hardened
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kevin wrote:
> Chris PeBenito wrote:
>> On Sun, 2006-05-07 at 00:28 -0400, Kevin wrote:
>>> xen-sources (which patches the kernel for xen but not for
>>> SELinux/PaX/GRSecurity)
>>>
>>> or
>>>
>>> hardened-sources (which patches the kernel for SELinux/PaX/GRSecurity
>>> but not for xen)
>> Just so you know, SELinux is available in all 2.6 kernels, since it is
>> integrated upstream (i.e. its in vanilla sources).
>>
>
> Huh!
>
> I didn't realize that. Thanks for pointing it out.
>
> Strangely, make menuconfig in a freshly installed xen-sources tree
> doesn't show me any SELinux configuration options, so I just assumed
> SELinux wasn't there, but after a make mrproper and make menuconfig, I
> do now see the SELinux configuration options. But perhaps even more
> strangely, now (after make mrproper), the XEN configuration options are
> gone from make menuconfig. What's going on here?
>
> -Kevin
>
Hi,
Think that Xen is hiding all other options, leaving only those that work
with it (or the devs choose to leave as needed/appropriate).
Not very much experience with Xen though. This for a Xen core kernel.
HTH.Rumen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3-ecc0.1.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEXjgZNbtuTtsWD3wRAkP8AJwLinTvjYPnxhdG1PSMK85SMmZuSgCeLb8T
MxsJuRUb7ttZg4fuJgBoL18=
=iknG
-----END PGP SIGNATURE-----
--
gentoo-hardened@gentoo.org mailing list
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2006-05-14 11:26 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-05-07 4:28 [gentoo-hardened] Obtaining a Xen/SELinux/PaX/GRSecurity kernel Kevin
2006-05-07 4:39 ` Alex Efros
2006-05-13 20:22 ` Peter S. Mazinger
2006-05-14 11:27 ` Panagiotis Atmatzidis
2006-05-07 5:28 ` Brad Plant
2006-05-07 13:40 ` Chris PeBenito
2006-05-07 17:48 ` Kevin
2006-05-07 18:10 ` Rumen Yotov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox