Hardened Gentoo

TODO:
 * intro, when 'n why?
 * hardened basics
 * lead into SELinux
 * lead into Grsecurity
 * lead into PaX

Toolchain
The hardened GCC profile is the one without a suffix. If you want to disable PIE or SSP, choose the relavent hardenedno(pie|ssp) or both, hardenednopiessp. The vanilla profile is of course the one with hardening disabled.

Per Package
Changing the GCC profile to deal with specific packages can be a pain. A way to avoid this is to set per-package C(XX)FLAGS using package.env. Create the file /etc/portage/env/nossp and add to that:

To allow for disabling PIE, create and add to /etc/portage/env/nopie:

Finally add the package you want to disable either PIE or SSP for to /etc/portage/package.env and the relevant /etc/portage/env/, for this example is used here:

Grsecurity chroot
If you want to chroot to a copied environment where the CONFIG_GRKERNSEC_CHROOT is enabled you must use the cd grub and change the root(cd) kernel(cd) initrd(cd) setting to from (cd) to (hdx,y). Now you can install the grub environment.

Links

 * Gentoo Hardened Project
 * Gentoo Hardened SELinux Project