# Who's using Gentoo Hardened? & gcc install problems [sol

## odessit

I am starting the design/installation of the Gentoo server.

Originally I planned on using Gentoo hardened, but it is located under Experemental folder.

Should I?

Would a better choice be a standard Gentoo for a mail server hardened manually/conventially ?

What do everybody use?Last edited by odessit on Fri Jul 23, 2004 2:27 pm; edited 3 times in total

----------

## RedDawn

Nice.. i just started my installation with SElinux  so far i havent had any problems with the installation.. right now is bootstraping the system!    :Laughing: 

here is the how-to that im using..

http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml

you will have to find the iso image somewhere else since it has been removed from the servers.. google it up..

----------

## tuxmin

I'm using hardened gentoo with a couple of high loaded webservers together with a grsec kernel at high level -- runs without any hassle...

----------

## odessit

RedDawn, this is exactly what I am doing, will take a while on this dually 333 though   :Rolling Eyes: 

Just that "experemental" freaks me out a bit...

----------

## RedDawn

 *odessit wrote:*   

> RedDawn, this is exactly what I am doing, will take a while on this dually 333 though  
> 
> Just that "experemental" freaks me out a bit...

 

tell me about it.. as soon ats gcc is about to be compilled gentoo freaks about gcc already being installed and that it blocks my current installation.. weird..  im doing some research on the subject just to see wuts up..    :Mad: 

----------

## odessit

hmmm... 

as soon as I hit gettext compilation - first program after kernel extract I get "C compiler can not create executibles"

----------

## RedDawn

 *odessit wrote:*   

> hmmm... 
> 
> as soon as I hit gettext compilation - first program after kernel extract I get "C compiler can not create executibles"

 

check your. cflags..

something i little mistake makes and error..

visit my irc chanen..

irc.yourowndisaster.net

/join  #Reddawn  or #reddawn  i forget..

----------

## odessit

thanks, I will stop by tomorrow, just came home, server is not here (thankfully LOL)

----------

## jpc82

Does anyone have a guide on how to use SELinux?  I have followed the guide  on how to convert a regular installation to SELinux, but I have no idea how to set the policies and how to really take advantage of the security features.

----------

## RedDawn

 *jpc82 wrote:*   

> Does anyone have a guide on how to use SELinux?  I have followed the guide  on how to convert a regular installation to SELinux, but I have no idea how to set the policies and how to really take advantage of the security features.

 

How you setup SElinux?  did you do a regular system installation and then followed the guide to convert it to SElinux?  thanks.

----------

## jpc82

 *RedDawn wrote:*   

>  *jpc82 wrote:*   Does anyone have a guide on how to use SELinux?  I have followed the guide  on how to convert a regular installation to SELinux, but I have no idea how to set the policies and how to really take advantage of the security features. 
> 
> How you setup SElinux?  did you do a regular system installation and then followed the guide to convert it to SElinux?  thanks.

 

Yes

----------

## ryceck

I used the hardened-manual to install SElinux but that failed *miserably* for me... After 2 days (too much downtime) I installed a hardened system with PAX and GRsec without selinux and this works like a charm.

I just want to use a hardened glibc and gcc but that is something for a few weeks away  :Smile: 

----------

## odessit

well I got past the gettext problem

it did not like the -fomit-frame-pointer flag for the P2

I will stop by your IRC in a short while, see if you are there.

I hope it will not bomb on the gcc...

----------

## RedDawn

 *ryceck wrote:*   

> I used the hardened-manual to install SElinux but that failed *miserably* for me... After 2 days (too much downtime) I installed a hardened system with PAX and GRsec without selinux and this works like a charm.
> 
> I just want to use a hardened glibc and gcc but that is something for a few weeks away 

 

I think i might just do that..  Unless i can find a Stage3 tarbal with all the system up and running all i would have to do i update it!

PS:  odessit  did you get past the bootstrap.. i failed on that..   :Crying or Very sad: 

----------

## odessit

no go

gcc hardened conflicts, same as yours

I'll do some searching

----------

## RedDawn

 *odessit wrote:*   

> no go
> 
> gcc hardened conflicts, same as yours
> 
> I'll do some searching

 

Darn..  does anyone here now where we can find current project documentation on SElinux.. and why it does that..

----------

## odessit

link 1

https://forums.gentoo.org/viewtopic.php?t=197703&highlight=gcc+hardened

emerging right now

----------

## RedDawn

 *odessit wrote:*   

> link 1
> 
> https://forums.gentoo.org/viewtopic.php?t=197703&highlight=gcc+hardened
> 
> emerging right now

 

nice..  can you confirm it works when ur done...  

thanks

----------

## odessit

the bugpage mentioned something about unmerging gcc first

the post did not mentioned anything about it so I did not unmerge gcc.

Maybe you should try with unmerging gcc first and then typing the commands provided.

One of us will get it right

----------

## HydroSan

I use Gentoo Hardened with GRSecurity set to Medium in the kernel, with tight permissions on all my users, no X, and with -fstack-protector enabled.

A friend of mine says -fstack-protector prevents buffer overflows at the cost of 10% performance. I think it's worth it.

----------

## odessit

yes, for a faster machine I would use the same, I'll keep it in mind when deploying the next round of servers

My current server is dual P2-333

----------

## UberLord

If you use the "hardened" profile then you don't need -fstack-protector and a few USE flags as the profile provides this for you.

----------

## RedDawn

 *odessit wrote:*   

> the bugpage mentioned something about unmerging gcc first
> 
> the post did not mentioned anything about it so I did not unmerge gcc.
> 
> Maybe you should try with unmerging gcc first and then typing the commands provided.
> ...

 

Ok i'll give it a go.. ill tell you how it goes!

----------

## odessit

ok my way did not work

will try unmerging first

----------

## RedDawn

 *odessit wrote:*   

> ok my way did not work
> 
> will try unmerging first

 

well i unmerged gcc-harnded and got an not errors..  

but when i tried to run bootstrap-cascade.sh  the bootstrap started but did not emerge... anything.. i just stayed there..

and when i tried to emerge gcc-hardened i got all this errors about file missing and then my system rebooted      :Crying or Very sad: 

Ill keep on trying maybe i did something wrong!

----------

## UberLord

Just add the "hardened" USE flag and gcc will become "hardened" .....

----------

## RedDawn

[quote="UberLord"]Just add the "hardened" USE flag and gcc will become "hardened" .....[/quote

how do i verify that gcc is hardened?

gcc -v??

----------

## odessit

actually I do have hardened in my USE flags

Also when I was leaving, the install was still going (after gcc-hardened uninstall), but it appears that it got past the "error" point.

I can not verify this until tomorrow morning.

----------

## really

 *UberLord wrote:*   

> Just add the "hardened" USE flag and gcc will become "hardened" .....[/quote
> 
> how do i verify that gcc is hardened?
> 
> gcc -v??

 cat /usr/lib/gcc-lib/i386-blah/version/specs|grep stack

if you see something with stack-protector then you have it. (the stack protector, propolice ssp)

perhaps?

thats how i checked that it included -fstack-protector as default on my linux from scratch..

or compile this little program 

```

#include <stdio.h>

int main ( ) {

                char bof[2];

                printf("Hit me: ");

                gets(bof);

                printf("You typed, %s\n", );

                return 0;

}

```

with gcc -o bof bof.c (if you saved it as bof.c)

then run it and give it more than 2 characters like "hello"

when you press enter it will fail if it fails with "segmentation fault" then you dont have teh stack protector in gcc, if it says stack smashed something then you do have it.

if the program is Killed you have pax and you are safe.

Segmentation fault is bad.

stack smashing protectorSomethingsomething ok

Killed ok

ofcourse if it segfaults you can try gcc -fstack-protector -o bof bof.c

and see if it can even compile programs with that. it should be able to. if not. recompile gcc glibc and binutils.

----------

## RedDawn

 *odessit wrote:*   

> actually I do have hardened in my USE flags
> 
> Also when I was leaving, the install was still going (after gcc-hardened uninstall), but it appears that it got past the "error" point.
> 
> I can not verify this until tomorrow morning.

 

How u do it  did you do a 

emerge -C gcc-hardened before the bootstrap process..  

cuz if you did i must have dome something wrong since i did that and after i did that the system would not compile anything?

 :Confused: 

----------

## jpc82

Actually the performance hit from fstack-protector in most situations is far less then 10%.  Under normal situations you will not even notice a performance hit.

This web site shows a 8% hit under the worst senario

http://www.trl.ibm.com/projects/security/ssp/node5.html#SECTION00051000000000000000

----------

## odessit

RedDawn

Ok, here are my exact steps

***Remove -fomit-frame-pointer from CFLAGS

***Compile

***Error

#gcc -dumpspecs > $(gcc-config -L)/specs

***compile 

***error

#emerge --unmerge gcc-hardened

#gcc -dumpspecs > $(gcc-config -L)/specs

***compile

??? I do not know if I was sucsessful, will find out in the morning

I did not reboot the box or anything else between each step.

jpc, thanks for the link

----------

## RedDawn

 *odessit wrote:*   

> RedDawn
> 
> Ok, here are my exact steps
> 
> ***Remove -fomit-frame-pointer from CFLAGS
> ...

 

Let me try that.. ill see how it goes..  ill prob post back like around 11 or 12

im gonna test it on the Main CPU

3.25Ghz

1Gb Ram  just to see wuts up.. i hope my AMD is not letting me down..

----------

## UberLord

 *RedDawn wrote:*   

> 
> 
> How u do it  did you do a 
> 
> emerge -C gcc-hardened before the bootstrap process..  
> ...

 

Why don't use just grab a hardened LiveCD and use that? Then you're all setup from the word go!

----------

## odessit

It worked for me

[TASK] 

Installing "Gentoo Hardened" from "LiveCD 2004.0 Hardened" 

Stage 1

[PROBLEM]

gcc-hardened conflicts with gcc

[SOLUTION]

After getting the error, type the following commands as outlined in the bugzilla

https://bugs.gentoo.org/show_bug.cgi?id=43891

```
unmerge hardened-gcc

gcc -dumpspecs > $(gcc-config -L)/specs
```

----------

## RedDawn

 *odessit wrote:*   

> It worked for me
> 
> [TASK] 
> 
> Installing "Gentoo Hardened" from "LiveCD 2004.0 Hardened" 
> ...

 

Ok got it.. and when you talk about the LiveCD2004.0 Hardened you mean to talk about this right??

gentoo-selinux-2004.0-i686-20040125.iso   <-- thats the one i got?

----------

## odessit

the joys of gentoo  :Smile: 

way too many versions floating around

mine is 

livecd-x86-selinux-20040616.iso

----------

## tcbounce

Hello,

I just made a posting to another forum in relation to a specific error I think using -fstack-protector caused me. (sorry using links -g on a system bootstrapping can't cut and paste -  do a quick search for linking glibc or "LC2 LC3")

Anyway, the fix to my problem was using a lower optimisation. I'm inferring -fstack-protector had something to do with it. Regardless of it or not, I have read on a few of IBMs and other's pages is that after you use optimisation higher than -O2, I read the protection offered by -fstack-protector can get broken, and it can break applications both at run-time and during compilation. Is this true? Should we fear this option as most people on this post are praising it?

If your using SELinux and gentoo is it possible to disable -fstack-protector and rely on selinux to stop your system being overly compromised in the event that you get a buffer-overflow exploit.

Your comments will be appreciated. Cheers, Luke

----------

