[Freeipa-devel] [PATCHES] 204-205 Spec file fixes

Jakub Hrozek jhrozek at redhat.com
Mon Dec 2 11:26:23 UTC 2013 

On Mon, Dec 02, 2013 at 12:14:07PM +0100, Petr Viktorin wrote:
> On 11/27/2013 02:50 PM, Martin Kosek wrote:
> >On 11/27/2013 02:26 PM, Jan Cholasta wrote:
> >>Hi,
> >>
> >>the attached patches fix <https://fedorahosted.org/freeipa/ticket/4010>.
> 
> This fixes points 2) & 3) in the ticket; point 1) is not applicable;
> 4) are false positives.
> 
> The checks mentioned in the ticket pass.
> 
> $ hardening-check --color --verbose /usr/libexec/ipa-otpd
> /usr/libexec/ipa-otpd:
>  Position Independent Executable: yes
>  Stack protected: yes
>  Fortify Source functions: yes (some protected functions found)
>         unprotected: gethostname
>         unprotected: read
>         protected: vfprintf
>         protected: asprintf
>         protected: memcpy
>         protected: fprintf
>  Read-only relocations: yes
>  Immediate binding: yes
> pviktori at vm-183:~/freeipa{master}16e60f7$ readelf -d
> /usr/libexec/ipa-otpd | grep BIND_NOW
>  0x0000000000000018 (BIND_NOW)
> pviktori at vm-183:~/freeipa{master}16e60f7$ readelf -h
> /usr/libexec/ipa-otpd  | grep Type
>   Type:                              DYN (Shared object file)
> 
> (Note, redhat-rpm-config is part of Fedora's minimal build
> environment:
> https://fedoraproject.org/wiki/Packaging:Guidelines#Exceptions_2)
> 
> >>Honza
> >
> >Do we want to define
> >
> >+%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
> >+%define _hardened_build 1
> >+%endif
> >
> >globally? Wouldn't it trigger the hardening also for all our C utilities or
> >internal SLAPI plugins? Wouldn't it have performance implication for the SLAPI
> >plugins?
> >
> >I am not sure, I would like to hear what the experts say.
> >
> >Martin
> 
> On 11/27/2013 03:37 PM, Jakub Hrozek wrote:> I'm sorry, I removed
> Martin's e-mail by accident so I'll reply here. I
> > think defining the hardened build globally is fine, the only performance
> > impact is during startup and only small.
> >
> > AFAIR, the C utilities in IPA are mostly daemons and you really want to
> > have full RELRO enabled there.
> >
> > The only gotcha we found so far (well, Nalin did) was that SELinux was
> > not happy with full RELRO on some exotic architectures, like s390x
> 
> Is that a SELinux bug?

I'm not actually sure, as I said, Nalin worked on this bugzilla. FWIW, I
never saw any problems with hardened builds of SSSD or any other package
I'm involved with.

> Should we care about it?

I think that such change in build flags warrants at least basic smoke
testing on all architectures.

More information about the Freeipa-devel mailing list