[grsec] Grsec distro?

[Chris Boot]

John Logsdon wrote:
> Jan and list
> 
> Thanks for this link.  Debian/Ubuntu Hardened seem to be rather like
> Gentoo which is Debian-based and offers the options for Grsec and SEL when
> you build it.  Again there is the problem of what version of grsec.

Gentoo is in no way Debian-based, it's a mostly source-only distro much 
like LFS, but with tools to make the job easier. It's nice (I use it on 
my home machine) and does have its advantages, but I wouldn't be 
particularly comfortable running it on any of my servers, which 
currently run Debian.

> I followed the vSecurity link and note that that seems to take some of
> grsec (I don't know how old) and Openwall and puts this within an LSM
> framework.  I thought LSM was rather frowned on in the grsec community -
> see Brad's comments LSM on the web site.  So that's a bit of a puzzle.
> 
> One of the issues of course is that RH have clearly decided to bundle SEL
> in and this means that any of the downstream distros like CentOS inherit
> that problem.  Now I am sure SEL works well - there have been some rather
> silly spats on the CentOS list recently - but it does mean that many
> userland tools are broken or need to be recompiled against libselinux,
> that the attributes have to work (eg can't use Reiser) and a rather
> cumbersome command system when compared to the simple elegance of grsec.
> 
> So I thought that a ready-rolled grsec version either built on RH or
> Debian with sensible packages (well a minimalist anyway) would make it
> much more attractive and therefore marketable.  

Yes, I'd love to see such a beast. I've only just started looking at 
using PaX and SSP on my servers and having to build my own distro would 
be both cumbersome and, potentially, a support nightmare.

> Things change quite quickly and I can also see the benefit of only being
> concerned with the kernel and patches...  I was just wondering whether it
> was on anyone's road map.

Chris

-- 
Chris Boot
bootc at bootc.net
http://www.bootc.net/