On Monday May 28 2007 12:24:41 pm Jaap Struyk wrote: > Robert Connolly schreef: > > It's odd. I got a lot of google hits on this, it's a know problem with > > selinux. I'm not sure why I haven't noticed it before. Try to build > > openssl with: > > make MANDIR=/usr/share/man AS="gcc -c -Wa,--noexecstack" > > Thanks Robert, > > That did work, but doesn't that leave me with an "unprotected" libssl? > On the other hand, without it I have to disable mprotect in the kernel > wich isn't good either.
It's not unprotected now, it's built like the rest of the libraries. Binutils is using --execstack, needlessly, on all programs and libraries with assembly code. I'm seeing if I can patch Binutils to use --execstack only if it's specifically called for, instead of patching every program with assembly. Gzip and GnuPG have the same issue, except they added a ./configure option for --noexecstack. Java compilers are the only programs I can think of that actually need --execstack. > In the past, I can remember that the hlfs book contained e few > beyond-hlfs apps.; openssh, openntp and then openssl was part of the > "beyond" and if I recall it right it had to patched for ssp. > Was that pach also removing the execstack like the way above or was that > a "true" adaption of openssl? The patch for OpenSSL was for arc4random, but a small Sed command works just as well now. I want to use the BLFS wiki for changes to BLFS packages, I think it would benefit everyone better. OpenSSL is eventually going to be integrated in the hlfs core packages, so it's different. > Anyway, alls well now and everything I compiled right now worked as > expected apart from gmp-4.2.1 > After a lot of trouble I got working with "gentoo hardened" patches: I haven't ever tried to build gmp, I don't know anything about it. Good luck robert
pgpiDgy1I7bMK.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
