[Freeipa-devel] [PATCHES] 204-205 Spec file fixes
Jakub Hrozek
jhrozek at redhat.com
Wed Nov 27 14:37:39 UTC 2013
On Wed, Nov 27, 2013 at 02:26:20PM +0100, Jan Cholasta wrote:
> Hi,
>
> the attached patches fix <https://fedorahosted.org/freeipa/ticket/4010>.
>
> Honza
>
> --
> Jan Cholasta
> >From 27fe562102962416f3db17b1b30be978a8c201b3 Mon Sep 17 00:00:00 2001
> From: Jan Cholasta <jcholast at redhat.com>
> Date: Wed, 27 Nov 2013 13:13:16 +0000
> Subject: [PATCH 1/2] Use hardening flags for ipa-optd.
>
> https://fedorahosted.org/freeipa/ticket/4010
> ---
> daemons/ipa-otpd/Makefile.am | 2 +-
> freeipa.spec.in | 4 ++++
> 2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
> index ed99c3e..f0b7528 100644
> --- a/daemons/ipa-otpd/Makefile.am
> +++ b/daemons/ipa-otpd/Makefile.am
> @@ -1,5 +1,5 @@
> AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
> -AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
> +AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie -Wl,-z,relro -Wl,-z,now
>
> noinst_HEADERS = internal.h
> libexec_PROGRAMS = ipa-otpd
> diff --git a/freeipa.spec.in b/freeipa.spec.in
> index 35b8714..8ee69fc 100644
> --- a/freeipa.spec.in
> +++ b/freeipa.spec.in
> @@ -5,6 +5,10 @@
> %global POLICYCOREUTILSVER 2.1.12-5
> %global gettext_domain ipa
>
> +%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
> +%define _hardened_build 1
> +%endif
> +
I'm sorry, I removed Martin's e-mail by accident so I'll reply here. I
think defining the hardened build globally is fine, the only performance
impact is during startup and only small.
AFAIR, the C utilities in IPA are mostly daemons and you really want to
have full RELRO enabled there.
The only gotcha we found so far (well, Nalin did) was that SELinux was
not happy with full RELRO on some exotic architectures, like s390x
More information about the Freeipa-devel
mailing list