Value of selinux+grsecurity (was: Re: Anybody deploy grsecurity on Fedora?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> 
> > Date: Wed, 30 Apr 2008 12:20:03 -0400
> From: "max bianco" <maximilianbianco@xxxxxxxxx>
> Subject: Re: Anybody deploy grsecurity on Fedora?
> 
> > Have been watching the PaX and grsecurity efforts for a while, but
> > haven't
> > had a need to add them to a Linux box yet...either for a customer,
or in a
> > lab for playing.
> >
> > I noticed that the PaX stuff seems to now be merged into grsecurity.
The
> > most recent release of grsecurity has some interesting security
features
> > I'm interested in testing.
> >
> >
> >
> > Anyone deploy grsecurity on a recent Fedora release (7 or 8) or RHEL
4
> > or 5? If so, any problems, lessons learned, or tips?
> >
>
> I haven't used and don't know much about it or its relationship, if
> any , with fedora , I don't think it goes as far as SELinux but that
> is just speculation based on a quick overview of the following which i
> will now review in depth to correct any mistaken notions i might have.
> If you come across better resources that explain this better please
> post back.
> 
> www.cs.virginia.edu/~jcg8f/GrsecuritySELinuxCaseStudy.pdf
> 
> http://forums.grsecurity.net/viewtopic.php?f=1&p=7954
> 
> http://www.grsecurity.net/
> 
> http://www.nsa.gov/selinux/list-archive/0308/4941.cfm
> 
> 
> Max
> 

Although there is some overlap, I believe the two (selinux and
grsecurity) have many features that are complimentary.  Selinux provides
containment based on security contexts (labels).  If one were to crash a
program covered by selinux, the damage would be contained.  The goals of
grsecrutiy (especially the PaX elements) however, are to make it harder
to crash that program in the first place.

Is the Linux kernel community thinking of pulling in some of the
capabilities that grsecrutiy (especially PaX) offers into the
kernel...making things like randomization of stack, data, and code space
a default behavior of the kernel?

Dave McGuffey
Principal Information System Security Engineer // NSA-IEM, NSA-IAM
SAIC, IISBU, Columbia, MD

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux