[Freeipa-devel] [PATCHES] 204-205 Spec file fixes

Petr Viktorin pviktori at redhat.com
Mon Dec 2 11:14:07 UTC 2013 

On 11/27/2013 02:50 PM, Martin Kosek wrote:
> On 11/27/2013 02:26 PM, Jan Cholasta wrote:
>> Hi,
>>
>> the attached patches fix <https://fedorahosted.org/freeipa/ticket/4010>.

This fixes points 2) & 3) in the ticket; point 1) is not applicable; 4) 
are false positives.

The checks mentioned in the ticket pass.

$ hardening-check --color --verbose /usr/libexec/ipa-otpd
/usr/libexec/ipa-otpd:
  Position Independent Executable: yes
  Stack protected: yes
  Fortify Source functions: yes (some protected functions found)
         unprotected: gethostname
         unprotected: read
         protected: vfprintf
         protected: asprintf
         protected: memcpy
         protected: fprintf
  Read-only relocations: yes
  Immediate binding: yes
pviktori at vm-183:~/freeipa{master}16e60f7$ readelf -d 
/usr/libexec/ipa-otpd | grep BIND_NOW
  0x0000000000000018 (BIND_NOW)
pviktori at vm-183:~/freeipa{master}16e60f7$ readelf -h 
/usr/libexec/ipa-otpd  | grep Type
   Type:                              DYN (Shared object file)

(Note, redhat-rpm-config is part of Fedora's minimal build environment: 
https://fedoraproject.org/wiki/Packaging:Guidelines#Exceptions_2)

>> Honza
>
> Do we want to define
>
> +%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
> +%define _hardened_build 1
> +%endif
>
> globally? Wouldn't it trigger the hardening also for all our C utilities or
> internal SLAPI plugins? Wouldn't it have performance implication for the SLAPI
> plugins?
>
> I am not sure, I would like to hear what the experts say.
>
> Martin

On 11/27/2013 03:37 PM, Jakub Hrozek wrote:> I'm sorry, I removed 
Martin's e-mail by accident so I'll reply here. I
 > think defining the hardened build globally is fine, the only performance
 > impact is during startup and only small.
 >
 > AFAIR, the C utilities in IPA are mostly daemons and you really want to
 > have full RELRO enabled there.
 >
 > The only gotcha we found so far (well, Nalin did) was that SELinux was
 > not happy with full RELRO on some exotic architectures, like s390x

Is that a SELinux bug? Should we care about it?

-- 
Petr³

More information about the Freeipa-devel mailing list