openssl libs problem

Robert Connolly robert at linuxfromscratch.org
Mon May 28 09:55:33 PDT 2007


On Monday May 28 2007 12:24:41 pm Jaap Struyk wrote:
> Robert Connolly schreef:
> > It's odd. I got a lot of google hits on this, it's a know problem with
> > selinux. I'm not sure why I haven't noticed it before. Try to build
> > openssl with:
> > make MANDIR=/usr/share/man AS="gcc -c -Wa,--noexecstack"
>
> Thanks Robert,
>
> That did work, but doesn't that leave me with an "unprotected" libssl?
> On the other hand, without it I have to disable mprotect in the kernel
> wich isn't good either.

It's not unprotected now, it's built like the rest of the libraries. Binutils 
is using --execstack, needlessly, on all programs and libraries with assembly 
code. I'm seeing if I can patch Binutils to use --execstack only if it's 
specifically called for, instead of patching every program with assembly. 
Gzip and GnuPG have the same issue, except they added a ./configure option 
for --noexecstack. Java compilers are the only programs I can think of that 
actually need --execstack.

> In the past, I can remember that the hlfs book contained e few
> beyond-hlfs apps.; openssh, openntp and then openssl was part of the
> "beyond" and if I recall it right it had to patched for ssp.
> Was that pach also removing the execstack like the way above or was that
> a "true" adaption of openssl?

The patch for OpenSSL was for arc4random, but a small Sed command works just 
as well now. I want to use the BLFS wiki for changes to BLFS packages, I 
think it would benefit everyone better. OpenSSL is eventually going to be 
integrated in the hlfs core packages, so it's different.

> Anyway, alls well now and everything I compiled right now worked as
> expected apart from gmp-4.2.1
> After a lot of trouble I got working with "gentoo hardened" patches:

I haven't ever tried to build gmp, I don't know anything about it.

Good luck

robert


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20070528/1172c013/attachment.sig>


More information about the hlfs-dev mailing list