Fedora, Linux kernel 3.13 with GRSecurity?

I expect I have to compile my own kernel to make this happen, more so as 3.13 is not out til next week I believe.

So how easy is this and is there a guide? and what breakage can occur?


Thanks in advance!!


Should be as simple as installing the patch, be it from source or binaries, then adding the hardened kernel to your bootloader (not sure which method you prefer, or which bootloader Fedora uses/you use).

What do you plan on using? I can go into more detail with more specifics.

well I presume I use GRUB, I am running Fedora 20 XFCE.

I want GRSecurity for the security of course, but the kernel for any if any performance enhancements, and the fact Id like to start compiling stuff to learn more :)

Well, I don't use Fedora, but the same concepts should apply across the board.

First, a starter on building a custom kernel in Fedora - https://fedoraproject.org/wiki/Building_a_custom_kernel?rd=Docs/CustomKernel - pretty much the same as any other distro, just with RPM.

Here is the download link for Grsecurity and Grand - http://grsecurity.net/download.php - pick the one for kernel 3.13 when it is released. I believe 3.12.7 was just added. It is important to verify the downloads that way you don't patch your kernel with a corrupt Grsecurity.

Since the Fedora documentation is very nice, and I am running short on time, I'll have to leave it at that, but will come back and explain more in a few hours.

Okay thanks :) I shall see what I can do with what I have :)

You don't have to compile your own kernel, you can simply use the rawhide kernel package (right now at 3.13rc8) and run your fc20 on it. It mostly works just fine.

You don't need all the things from the grsecurity suite if you want to use it with SELinux (which is advisable). Once you are running stable on 3.13rc, you can install PaX from grsecurity, and you'll have to recompile your kernel for that using the standard tools.

TRY your system OUT FIRST, you need to make sure it works with 3.13rc and the build deps (it will require a newer GCC package and kernel utils). You don't want to waste a few gigabytes of harddisk space on something you know won't work anyway.

Now this is where it gets critical: NEVER build your kernel as root, whatever you do. The right way is to make a new user account, and setup your tree there. Then build in that tree like you would normally build your custom kernel, based on the source of the kernel you're running and grsecurity PaX.


To be honest, you might get lucky, but you should expect breakage, and the problem is that you'll have difficulties getting back to release once the kernel 3.13 is released and pushed.

In my opinion, you either run Fedora release, or you run Fedora Rawhide. Running Fedora Rawhide is quite a different experience, it is a lot like Arch, in that it is a quasi-rolling release model (where Arch is a real rolling release model) with a lot of daily updates (a LOT of them!), and the occasional poisoned package that causes breakage. As it is a quasi-rolling model instead of a real rolling release model, you can easily revert, and with yum history, you can easily cherry-pick undos for specific packages, so it's easier to manage than Arch, but it's time consuming, you'll spend at least 10-15 minutes a day on system maintenance. Fedora Rawhide right now is the alpha version of Fedora 21, which will be the first HSA release. There isn't all that much HSA functionality that works perfectly fine yet, although there are some nice things on AMD systems and pre-Haswell Intel Core systems. But expect a little-optimized system that runs noticeably slower than Fedora release (which also has to do with kernel monitoring and software bug detection and reporting functions that slow down the system some).

I run a Fedora Rawhide install, but it's just for development purposes, I don't actually do real productive things on that system. I run fedora release on my systems, sometimes with some upstream packages from testing and rawhide rebuilt for fc20. That's easy to do, but not advisable when you don't know exactly what you're doing, and which packages you can take that risk for. Basically, you can break dependencies by doing that, and screw up the system.

If I were you, I would wait another week or so for the 3.13 kernel to hit release, and then go forward with your plans. What's another week right? To get the most out of 3.13 with AMD GPUs, you would also need to use the open source AMD drivers from git (and those are real nightlies, they are very specific, expect breakage!), or wait for the Catalyst kernel modules for 3.13 to be stable. So there is very little gain in building yourself a 3.13rc kernel right now in my opinion.

hmm thanks, I was looking at the release date, a week is nothing, as I can ground my system fully, get everything on that is needed.

I take it RadeonSI will work well with 6k series GPUs? and is there a forum/guide to getting specific parts like PaX? also will nftables be pushed with 3.13 fedora? I know its going to be there in arch, so I would assume that it will be around for all decent distros.

RadeonSi is RHD7k and higher, the RHD6k works with the R600 OSS driver.

Once you download the grsecurity package for fedora, you'll see how to just install PaX and not use the RSBAC of the grsecurity suite. It's pretty self-explanatory.

nftables is a standard kernel 3.13 feature. In fact, I saw that the GUI-dependencies that contain nftables expansions (things like applets and notifiers) were pushed to release today, so there will be -as usual- full zero-day integration.

Okay already looking forward to the push xD also a general question on distro.

Fedora Security v Kali?

I know kali is deb based but is this really a bad thing in security live based distros?

Nope, Kali is usable, a pentest distro is always run from a write-protected (often single use disposable;-)) USB thumbdrive anyway, but to be honest, Kali is a skiddie thing, because all the tools and more that are in Kali, are also in all other repos, and the only thing that sets Kali apart is that it has GUI launchers for all the tools. To be honest, if you can't launch the pentesting tools from the CLI, you should probably not play around with them anyway.

of course, I do prefer CLI, but it is nice for a GUI with meta xD