[grsec] Grsec distro?

John Logsdon j.logsdon at quantex-research.com
Mon Nov 28 20:39:35 EST 2005 

This puts neatly my original impression of grsec cf SEL a year or so ago
when I first saw it.  

SEL looks lumpy - it needs modifications to userland tools (eg ls, ps, top
and tar->star), uses the attr system (which is broken on Reiser) and
therefore each filesystem needs to be converted.  This means that there is
a lot of potential for forking and chaos.  Your post implies that these
incompatibilities have indeed arisen as I feared.  Apart from that, it
seems to be quite inelegant to specify policies.  

As a result, RH do not offer Reiser and some other filesystems at all -
you are pretty much stuck with ext3 I think.  I used to use Reiser but
have migrated mostly to XFS these days as the POSIX ACL system is built
in (a useful relaxation of DAC's if needed).

I am sure SEL works and does what it is meant to (well as much as any such
system can) and I don't want to start spats or flames (unlikely on the
grsec list anyway).  I believe you can run PaX with SEL.

The reason for my original post was to see whether any mainline distro was
considering using grsec - and would keep up to date with Brad's versions.  
This would generate much more interest in grsec and perhaps ensure it's
future.  So far, only Gentoo has bitten this bullet and as a
compile-it-yourself system - which has much to commend it - I guess many
people would be put off.  I realise that ACL generation is largely done by
the learning mode but a grsec distro would enable us to share ACLs much
more easily as the locations would be known.

So if anyone has a good leverage with any mainline distros, perhaps a word
in their shell-likes?

Best wishes

John

PS There has been a long series of spats from SEL lovers and haters on the
CentOS list recently that were sometimes very amusing but none of the
posters mentioned any other security system.:)

John Logsdon                               "Try to make things as simple
Quantex Research Ltd, Manchester UK         as possible but not simpler"
j.logsdon at quantex-research.com              a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com


On Mon, 28 Nov 2005, Dan Hollis wrote:

> On Sat, 26 Nov 2005, John Logsdon wrote:
> > that problem.  Now I am sure SEL works well - there have been some rather
> > silly spats on the CentOS list recently - but it does mean that many
> > userland tools are broken or need to be recompiled against libselinux,
> > that the attributes have to work (eg can't use Reiser) and a rather
> > cumbersome command system when compared to the simple elegance of grsec.
> 
> The mechanism of grsecurity+pax is considerably different from that of 
> selinux. selinux aims to limit damage from exploits (basically rbac).
> grsecurity+pax aims to prevent exploit from happening in the first place 
> (stack protection, bounds checking, closing kernel attack vectors, etc).
> 
> it's really two different things. imo selinux is just grsecurity's rbac, 
> totally excluding pax. but selinux is more cumbersome to use (and 
> currently, a lot of incompatibility exists).
> 
> -Dan
>

More information about the grsecurity mailing list