The 'hardened' use flag refers to the hardened toolchain and not to a hardened kernel. However, the ebuild uses the flag as if referring to a hardened kernel. The extra lines added are destination avc { file("/var/log/avc.log"); }; destination audit { file("/var/log/audit.log"); }; destination pax { file("/var/log/pax.log"); }; destination grsec { file("/var/log/grsec.log"); }; These are relevant to, repsectively, selinux, pax and grsec kernel hardening, not toolchain hardening. This can be corrected by removing the 'hardened' useflag and using a local flag 'pax_kernel'. The choice of the name follows because selinux is already covered by the 'selinux' use flag, and because pax and grsec are usually configured together. The name also better fits this new local use flag usage in other ebuilds where pax is the central issue. Reproducible: Always
The parts of the ebuild behind the hardened use flag were added and are maintained by the hardened team. If the hardened team doesn't want to maintain them anymore, please reassign back to me and I'll just install the current hardened-supplied config file as another example config.
removed the hardened and selinux use flags in 3.4.1-r1. The logrotate file and hardened syslog-ng.conf file are installed in the doc directory in case people want to use them.
Can I ask, why both hardened and selinux were just dropped (and not changed, as Antony means)? For now, user should discover "right" changes in logrotate configs and in syslog configs himself. I doubt, that it is a good idea...
(In reply to Mr. Bones. from comment #1) > The parts of the ebuild behind the hardened use flag were added and are > maintained by the hardened team. If the hardened team doesn't want to > maintain them anymore, please reassign back to me and I'll just install the > current hardened-supplied config file as another example config. Just to be clear, its not that we don't want to support these. We just wanted the name of the use flag changed because we need to distinguish between toolchain hardening and kernel hardening. We do have users, for example, that have a hardened kernel but no hardened toolchain. They still need the extra lines of comment 1, but their systems has USE="-hardened" ... again -hardened here refers *only* to the toolchain.
Wouldn't it be possible to add a new use flag that would automatically bring in the "hardened" configurations like before? It would be easier for the sysadmin to make sure a flag is set than to manually copy the "hardened" configurations for syslog-ng/logrotate and keeping them both synchronized.
Users really are expected to configure syslog-ng to suit their needs. The configs other than the default one have always suffered from bitrot as soon as they were added. It was a maintenance hassle.
