I was in the same situation a couple months back. I wanted to setup my new Opteron server with Gentoo AMD64. After a lot of research and some initial testing I decided that (at least for me) AMD64 platform isn't ready just yet for normal usage on a server.
I applaud the efforts of the AMD64 team and I plan one day to switch, but for now you may want to really analyze if you need the 64 bits for your server. If you don't really need them, you may be better off with the 32 bit versions for now, especially in a production environment.
I speak from somewhat of a newbie perspective, if you are a seasoned professional then obviously you will be able to deal with the issues that come up.
Best regards, Chris
Chris Smart wrote:
Greetings,
I am looking to build a new Opteron server soon, and I want to look at securing it with SELinux (and 64bit only).
Due to my own ignorance, I am a little confused as to the differences between the Hardened project and SELinux, PaX, GRSecurity etc.
My feeling is that the hardened project is really a collection of like-minded security projects (ie selinux, grsecurity, pax).
And that using the hardened USE flag, binaries that support it will build with hardened security features.
As I am building this new 64bit opteron system from scratch, where should I start? What stage tarball should I be using? What livecd?
Most importantly what profile do I use? profiles/hardened/amd64/ or profiles/selinux/2005.1/amd64/ ?
Should I be using the selinux USE flag these days, or is that depreciated in favour of the selinux profile? Should I have both?
My guess is that I should use the a PaX enabled kernel with SELinux, or perhaps GRSecurity, or even both.
Any pointers to get me started would be most appreciated.
Update:
I have tried using stage3-x86-hardened-2005.0 with both hardened and selinux profiles. At various stages it complains about either multilib or some 32bit libraries that the system is expecting. I could not get it to work with selinux profile.
However the last thing I have tried seems promising - it's the /usr/portage/profiles/hardened/amd64/ profile.
It stops at a bug for libperl:
oio.c:37: error: conflicting types for 'shmat'
/usr/include/sys/../gentoo-multilib/default/sys/shm.h:58: error: previous declaration of 'shmat' was here
doio.c:37: error: conflicting types for 'shmat'
/usr/include/sys/../gentoo-multilib/default/sys/shm.h:58: error: previous declaration of 'shmat' was here
make: *** [doio.o] Error 1
It is a known bug that prevents libperl from compiling on a non-multilib system and at present there is no fix :(
There is no stage3 amd64 hardened/selinux tarball that I can find. Am I barking up the wrong tree?
Cheers and thanks for your time,
Chris
-- [email protected] mailing list
-- [email protected] mailing list
