Hello everybody!
Sorry for answering so late - I had lots of work to do last week...
Here are all the changes that Secure-SLinux does to HLFS, of course for
2.6 kernels.
There aren't many, since HLFS is already quite stable.
Chapter 5:
=======
- glibc 2.3.6: use the localdef patch, so that localedef does not
segfault with PAX enabled kernels.
This allows one to compile HLFS with PAX enabled kernels (among other
things). If not
patched, Ch. 6. glibc install will fail. Compiling HLFS from HLFS is
also a good test!
-coreutils 5.27: use the coreutils-5.97-uname_PIC-1.patch. This allows
one to fully use
the output of "uname". Needed for example if you want to use the uname
hack to compile
chapter 6 for a different architecture (pseudo cross compile).
Chapter 6:
=======
- entering chroot: those sysctl commands are not enough - at least one
is missing, can't remember which
one. I use
sysctl -a 2>/dev/null | grep grsec | grep chroot | sed -e "s@ = [01]@@"
| xargs -I abc sysctl -w abc=0
which turns off all chroot restrictions
- creating dirs: there are differences between the directory structors
of HLFS and LFS.
For example /opt is missing in HLFS.
- /var/log/btmp: needs permission -rw------ otherwise openssh does not login
- removing static libs: Never ever remove static libs! _Never_ ever. You
will feel so sorry
should you ever need them. Some packages of the base HLFS installation
don't compile
if certain static libraries are missing, that's why they are removed
late. If you want to reinstall
gcc (for example) from BLFS with all languages enabled or if you need a
statically linked
gnupg in your initrd because you want to boot off an encrypted root
partition, etc. etc.
You will feel sorry! I tell you because I know and there is absolutely
nothing you can do!
So I recommend: take out all the configure options which tell programs
not to compile
static libs and leave it. At the most, move all static libs at the end
of HLFS installation to
a seperate directory (eg. /usr/static-libs). You will not increase
security by removing static libs!
Some say, a program is only secure, if it is self-contained (ie.
independant of possibly forged dynamic
libraries). However, since not even HLFS is independant of static
libraries, you cannot assume that
updating a dynamic library automatically fixes all its bugs in all
programs which are using it.
- glibc 2.3.6: use the localdef patch
- glibc 2.3.6: --enable-kernel=2.6.12 (since we are using the 2.6.12
headers. This allows
glibc to use more advanced features of the kernel and needs less
workarounds. I don't
know whether this makes much of a difference).
- paxctl: paxctl -spm /usr/sbin/iconvconfig
Chapter 7:
=======
- Setclock script _is_ working (although HLFS has been believing that it
doesn't for
quite a while), so add setclock script:
cat > /etc/sysconfig/clock << "EOF"
# Begin /etc/sysconfig/clock
UTC=0
# End /etc/sysconfig/clock
EOF
- Linux 2.6.17.8: use patches
- grsecurity-2.1.9-2.6.17.8-200608121035.patch
- linux-2.6.16.19-pseudo_random-1.patch-256byte_sysctl
- linux-2.6.16.19-entropy_pool_size-1.patch
- Linux:
- Do _NOT_ enable the following: CONFIG_PAX_EMUTRAMP
later it says
Do enable the following: CONFIG_PAX_EMUTRAMP
Do not enable it. Its a security problem and localedef can be
fixed with the patch.
- For X11: CONFIG_GRKERNSEC_KMEM can be set to y. X11 will still work.
This has been fixed by the grsecurity team.
Add-ons in Secure-SLinux:
==================
- libxcrypt for blowfish passwords in shadow
- gpm for mouse support
- loop-aes patch for util-linux and kernel
- squasfs for kernel
- uname hack for chapter 6 so that HLFS can be compiled for any ix86
architecture (needs
to change config for perl since perl does not use uname to find out the
architecture!).
Sebastian Faulborn
Homepage: http://www.secure-slinux.org
--
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
