[grsec] Grsec distro?

Redeeman redeeman at metanurb.dk
Wed Nov 30 12:17:24 EST 2005 

On Tue, 2005-11-29 at 01:39 +0000, John Logsdon wrote:
> This puts neatly my original impression of grsec cf SEL a year or so ago
> when I first saw it.  
> 
> SEL looks lumpy - it needs modifications to userland tools (eg ls, ps, top
> and tar->star), uses the attr system (which is broken on Reiser) and
ahem? im using xattr nicely with reiserfs.

> therefore each filesystem needs to be converted.  This means that there is
> a lot of potential for forking and chaos.  Your post implies that these
> incompatibilities have indeed arisen as I feared.  Apart from that, it
> seems to be quite inelegant to specify policies.  
> 
> As a result, RH do not offer Reiser and some other filesystems at all -
> you are pretty much stuck with ext3 I think.  I used to use Reiser but
> have migrated mostly to XFS these days as the POSIX ACL system is built
> in (a useful relaxation of DAC's if needed).
> 
> I am sure SEL works and does what it is meant to (well as much as any such
> system can) and I don't want to start spats or flames (unlikely on the
> grsec list anyway).  I believe you can run PaX with SEL.
> 
> The reason for my original post was to see whether any mainline distro was
> considering using grsec - and would keep up to date with Brad's versions.  
> This would generate much more interest in grsec and perhaps ensure it's
> future.  So far, only Gentoo has bitten this bullet and as a
> compile-it-yourself system - which has much to commend it - I guess many
> people would be put off.  I realise that ACL generation is largely done by
> the learning mode but a grsec distro would enable us to share ACLs much
> more easily as the locations would be known.
> 
> So if anyone has a good leverage with any mainline distros, perhaps a word
> in their shell-likes?
> 
> Best wishes
> 
> John
> 
> PS There has been a long series of spats from SEL lovers and haters on the
> CentOS list recently that were sometimes very amusing but none of the
> posters mentioned any other security system.:)
> 
> John Logsdon                               "Try to make things as simple
> Quantex Research Ltd, Manchester UK         as possible but not simpler"
> j.logsdon at quantex-research.com              a.einstein at relativity.org
> +44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com
> 
> 
> On Mon, 28 Nov 2005, Dan Hollis wrote:
> 
> > On Sat, 26 Nov 2005, John Logsdon wrote:
> > > that problem.  Now I am sure SEL works well - there have been some rather
> > > silly spats on the CentOS list recently - but it does mean that many
> > > userland tools are broken or need to be recompiled against libselinux,
> > > that the attributes have to work (eg can't use Reiser) and a rather
> > > cumbersome command system when compared to the simple elegance of grsec.
> > 
> > The mechanism of grsecurity+pax is considerably different from that of 
> > selinux. selinux aims to limit damage from exploits (basically rbac).
> > grsecurity+pax aims to prevent exploit from happening in the first place 
> > (stack protection, bounds checking, closing kernel attack vectors, etc).
> > 
> > it's really two different things. imo selinux is just grsecurity's rbac, 
> > totally excluding pax. but selinux is more cumbersome to use (and 
> > currently, a lot of incompatibility exists).
> > 
> > -Dan
> > 
> 
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
>

More information about the grsecurity mailing list