From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-2326-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1LFrtK-0008Gj-35
	for garchives@archives.gentoo.org; Thu, 25 Dec 2008 15:12:50 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id DF8ADE05ED;
	Thu, 25 Dec 2008 15:12:48 +0000 (UTC)
Received: from mail-bw0-f12.google.com (mail-bw0-f12.google.com [209.85.218.12])
	by pigeon.gentoo.org (Postfix) with ESMTP id 5E108E05ED
	for <gentoo-hardened@lists.gentoo.org>; Thu, 25 Dec 2008 15:12:48 +0000 (UTC)
Received: by bwz5 with SMTP id 5so2715560bwz.10
        for <gentoo-hardened@lists.gentoo.org>; Thu, 25 Dec 2008 07:12:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references;
        bh=0oCZE0IAbWwsauFefl7FaoPZhHSK9jyydFaKdErGGcw=;
        b=RGw0lckQvINK15Gv9Kgmn08s1ctHogBK6RcySWKeClEhdG84CzmxBPY4rqKiBe4CYd
         FHpaSBpx+Y2uSA2R5dWKjFVEN/xVmeBTmGnzL22M6wU0P0X2//2we7NkLxPVepY6MOeA
         CzYE9Abo4jgRytjN0cSAy9DGFJjZargwbNxT0=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references;
        b=U4hFLBvNWJ811HBbLgqLN5kCQZTfZWcx+yTxbL05Jri5X5Pbx2jnOGDw18jU00ijLk
         xrI03YxdrY2h3Nbu+yc1tkDVN2bFJcHBttAzqqp1xiBeNIrdbeTLUrJ73K1pWP+yQAc8
         PpGFKV56AsyaNZyJsaJy3sQIOmmc4ySZwC4G8=
Received: by 10.180.244.19 with SMTP id r19mr2631059bkh.9.1230217967518;
        Thu, 25 Dec 2008 07:12:47 -0800 (PST)
Received: by 10.180.204.12 with HTTP; Thu, 25 Dec 2008 07:12:47 -0800 (PST)
Message-ID: <49bf44f10812250712u35f87d71l750fd67f97204dad@mail.gmail.com>
Date: Thu, 25 Dec 2008 07:12:47 -0800
From: Grant <emailgrant@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Profile switch: hardened to non-hardened?
In-Reply-To: <200812241621.13188.gengor@gentoo.org>
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <49bf44f10812231323t7b5371eaj6a082f56f17b01e0@mail.gmail.com>
	 <49515B9F.4030006@moremagic.com>
	 <49bf44f10812240903r5de4963blb6c9c4e295adf7f7@mail.gmail.com>
	 <200812241621.13188.gengor@gentoo.org>
X-Archives-Salt: 8b7d763f-36a9-4003-8ff7-5cf09dd3c9e5
X-Archives-Hash: da59a2388fb679da81f347b2adfcc53c

> Hardened profiles: Yes there's a difference, no you should not switch to
> hardened/linux/${ARCH} at this time.

Is hardened/x86/2.6 still available for new installations?  My other
systems are amd64 but none of them list hardened/amd64/2.6.

> You can get skype working by downloading or building gcc 4.1.x and pointing
> LD_LIBRARY_PATH at the shared object directory when starting skype.  skype
> won't be using hardened toolchain but since its closed source and you're
> willing to switch the whole machine to non-hardened I figure you probably
> don't mind. ;)
>
> Example:
> 1. Download
> http://tinderbox.dev.gentoo.org/default-linux/x86/sys-devel/gcc-4.1.2.tbz2
> 2. unpack the archive to ${HOME}/tinderbox-pkgs/sys-devel/gcc/
> 3. Run it:
> LD_LIBRARY_PATH="${HOME}/tinderbox-pkgs/sys-devel/gcc/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/"
> skype
>
> If you only require VoIP capability and not skype specifically you might be
> interested net-im/ekiga.

Thank you very much for that, but I'm trying to simplify.  You see,
I'm only a fake sysadmin.  Does using a hardened kernel with a
non-hardened profile still offer good protection?

- Grant

>> > I've been able to do so; basically I switched over to the standard
>> > profile, disabled selinux in the kernel, and re-emerged system for new
>> > use flags. There were some other details but overall the process was
>> > pretty painless, anyone ambitious enough to configure a hardened system
>> > can probably handle the switch without much problem. Not that I'm
>> > encouraging you to drop hardened (especially on a laptop that could be
>> > exposed to random wifi networks ;-)
>>
>> Is there any difference between 1 and 8 here?  Should I switch to 8?
>>
>> # eselect profile list
>> Available profile symlink targets:
>>   [1]   hardened/x86/2.6 *
>>   [2]   selinux/2007.0/x86
>>   [3]   selinux/2007.0/x86/hardened
>>   [4]   default/linux/x86/2008.0
>>   [5]   default/linux/x86/2008.0/desktop
>>   [6]   default/linux/x86/2008.0/developer
>>   [7]   default/linux/x86/2008.0/server
>>   [8]   hardened/linux/x86
>>
>> - Grant
>>
>> >> Can I switch my laptop's profile from a hardened one to a non-hardened
>> >> one?  I thought this was impossible without a complete reinstall but
>> >> folks on the gentoo-user list seem to think it's not a problem.
>> >>
>> >> - Grant