[grsec] Grsec distro?
Ned Ludd
solar at gentoo.org
Sun Nov 27 09:29:09 EST 2005
On Sun, 2005-11-27 at 14:08 +0000, John Logsdon wrote:
> Thanks to news from Bill, Jan and Chris it seems that there are some folk
> out there helping to promote grsec. But I guess these distros are really
> for a niche market.
>
> What would be _really_ cool is if a mainstream distro took an interest and
> included the latest version (and implemented the latest version via an
> update facility).
>
> That way we would not all be re-inventing the wheel when generating ACLs
> as much of the difference between individual's ACLs are to do with
> locations and which files exist etc. Then the main difference would be
> the user and group names that we all implement differently and domains
> could be used here. Plus of course binding and connecting to different
> IPs.
>
> Wrapping it all up in a system installer for grsec (which prompts for
> user/group names, IPs etc and sets up a reasonable policy) would make it
> much easier to promote. The difficult think about grsec (and other
> systems like SEL look even more difficult BTW), is getting the ACLs right
> for your particular environment. Other than that, patching the kernel etc
> is a wheeze and we need no recompiled userland tools.
Being one of the first distributions to properly support grsec and PaX I
can say that a generic ACL's for the 2x series is a rather difficult
thing to support. version1->version2 of program-A.B.C can have radically
different policy needs, and the you have user preferences for things
like devfsd vs udev or 2.4 vs 2.6. Thankfully grsec has a powerful
learning mode. People should not be afraid to use it.
--
Ned Ludd <solar at gentoo.org>
Gentoo Linux
More information about the grsecurity
mailing list