[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hardening
From: |
ng0 |
Subject: |
Re: Hardening |
Date: |
Wed, 25 Jan 2017 11:51:07 +0000 |
Ricardo Wurmus <address@hidden> writes:
> Leo Famulari <address@hidden> writes:
>
>> On Tue, Jan 24, 2017 at 08:56:48PM +0000, ng0 wrote:
>>> Leo Famulari <address@hidden> writes:
>>> > Should we build Tor with "--enable-expensive-hardening"?
>>>
>>> I will take a look later what can be applied other than the
>>> default configure flags.
>>>
>>> I'm all for hardening, but it seems that the first basic ideas
>>> for Guix are stuck in the idea state.
>>
>> As far as I can tell, --enable-expensive-hardening is specific to Tor,
>> so it's not relevant to the project of hardening all Guix packages.
>>
>>> It would be great to see some movement on this during this
>>> year. I volunteer to help with it, though I don't have as much
>>> experience with SELinux (and only basic experience with
>>> GrSecurity without a modular kernel like GuixSD uses).
>>
>> Yes, this effort needs a champion.
>
> I know SELinux and I have a couple of almost-ready packages for it. The
> bigger problem for us is writing SELinux policies, because we cannot
> just use those from Fedora.
Oh, this is good to hear!
> SELinux policies are applied to file paths (which are not stable in
> Guix) and are “remembered” using extended file attributes. This means
> we’d have to write policies that can deal with arbitrary prefixes and
> we’d have to add an optional service to automatically label all store
> items (that’s expensive but maybe it can be done incrementally).
Oh.
> However, this is completely separate from enabling a configure flag for
> Tor.
That's why I changed the subject of the email, I am aware that
this has nothing to do with tor configure-flags.
--
♥Ⓐ ng0 -- https://www.inventati.org/patternsinthechaos/
- Re: [PATCH] gnu: tor: Update to 0.2.9.9., (continued)
- Re: tor: update to 0.2.9.9, Leo Famulari, 2017/01/24
- Hardening (was: Re: tor: update to 0.2.9.9), ng0, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), Leo Famulari, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), ng0, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), ng0, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), Leo Famulari, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), ng0, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), ng0, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), Ricardo Wurmus, 2017/01/25
- Re: Hardening,
ng0 <=