[Freeipa-devel] [PATCHES] 204-205 Spec file fixes
Petr Viktorin
pviktori at redhat.com
Mon Dec 2 11:14:07 UTC 2013
On 11/27/2013 02:50 PM, Martin Kosek wrote:
> On 11/27/2013 02:26 PM, Jan Cholasta wrote:
>> Hi,
>>
>> the attached patches fix <https://fedorahosted.org/freeipa/ticket/4010>.
This fixes points 2) & 3) in the ticket; point 1) is not applicable; 4)
are false positives.
The checks mentioned in the ticket pass.
$ hardening-check --color --verbose /usr/libexec/ipa-otpd
/usr/libexec/ipa-otpd:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
unprotected: gethostname
unprotected: read
protected: vfprintf
protected: asprintf
protected: memcpy
protected: fprintf
Read-only relocations: yes
Immediate binding: yes
pviktori at vm-183:~/freeipa{master}16e60f7$ readelf -d
/usr/libexec/ipa-otpd | grep BIND_NOW
0x0000000000000018 (BIND_NOW)
pviktori at vm-183:~/freeipa{master}16e60f7$ readelf -h
/usr/libexec/ipa-otpd | grep Type
Type: DYN (Shared object file)
(Note, redhat-rpm-config is part of Fedora's minimal build environment:
https://fedoraproject.org/wiki/Packaging:Guidelines#Exceptions_2)
>> Honza
>
> Do we want to define
>
> +%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
> +%define _hardened_build 1
> +%endif
>
> globally? Wouldn't it trigger the hardening also for all our C utilities or
> internal SLAPI plugins? Wouldn't it have performance implication for the SLAPI
> plugins?
>
> I am not sure, I would like to hear what the experts say.
>
> Martin
On 11/27/2013 03:37 PM, Jakub Hrozek wrote:> I'm sorry, I removed
Martin's e-mail by accident so I'll reply here. I
> think defining the hardened build globally is fine, the only performance
> impact is during startup and only small.
>
> AFAIR, the C utilities in IPA are mostly daemons and you really want to
> have full RELRO enabled there.
>
> The only gotcha we found so far (well, Nalin did) was that SELinux was
> not happy with full RELRO on some exotic architectures, like s390x
Is that a SELinux bug? Should we care about it?
--
Petr³
More information about the Freeipa-devel
mailing list