On 04/20/2016 08:12 AM, Dave Love wrote:
I have a package to submit that has an suid binary. The packaging
guidelines say in that case you must
%global _hardened_build 1
and it turns on PIE/PIC. However, it doesn't do so on el6, at least.
Should flags be added by hand and, if so, exactly which?
Also, does an suid binary require something to be done for selinux? (I
know embarrassingly little about it, mainly working on HPC systems, for
which the instructions generally and unfortunately start with "turn off
selinx".)
This may help:
https://fedoraproject.org/wiki/Changes/Harden_All_Packages
I've done this for EL6:
# _hardened_build not working for EL6, at least define __global_ldflags
for now
%{!?__global_ldflags: %global __global_ldflags -Wl,-z,relro -Wl,-z,now}
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion@xxxxxxxxxxxxx
Boulder, CO 80301 http://www.cora.nwra.com
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
