New hardened build support (coming) in F16

Jan Safranek jsafrane at
Tue Aug 9 10:18:38 UTC 2011

On 08/08/2011 06:23 PM, Adam Jackson wrote:
> Once that's done (and redhat-rpm-config-9.1.0-15.fc16 has been gone 
> through updates), if you're using a %configure-style spec file, defining 
> the magic macro is all you have to do.  The rpm macros will notice the 
> macro, and put the right magic into CFLAGS and LDFLAGS, and everything 
> is great and wonderful.

I am not sure I understand the implications. If I compile my package
which provides a daemon (=worth full relro) and few libraries with the
magic macro, which defines LDFLAGS=-Wl,-z,now, all shared libraries from
the build will get full relro too. What happens to applications, which
link my libs?

1) will they start slower because of the relocations in the shared lib?
2) can they use prelink?

Or should I hack Makefiles to use full relro only for daemons (and other
security relevant binaries) and leave shared libs with partial relro
only? Will be the daemon 'safe enough' if it consumes libraries with
partial relro?


More information about the devel mailing list