Re: Value of selinux+grsecurity (was: Re: Anybody deploy grsecurity on Fedora?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2008-05-01 at 08:53 -0400, McGuffey, David C. wrote:
> > 
> > > Date: Wed, 30 Apr 2008 12:20:03 -0400
> > From: "max bianco" <maximilianbianco@xxxxxxxxx>
> > Subject: Re: Anybody deploy grsecurity on Fedora?
> > 
> > > Have been watching the PaX and grsecurity efforts for a while, but
> > > haven't
> > > had a need to add them to a Linux box yet...either for a customer,
> or in a
> > > lab for playing.
> > >
> > > I noticed that the PaX stuff seems to now be merged into grsecurity.
> The
> > > most recent release of grsecurity has some interesting security
> features
> > > I'm interested in testing.
> > >
> > >
> > >
> > > Anyone deploy grsecurity on a recent Fedora release (7 or 8) or RHEL
> 4
> > > or 5? If so, any problems, lessons learned, or tips?
> > >
> >
> > I haven't used and don't know much about it or its relationship, if
> > any , with fedora , I don't think it goes as far as SELinux but that
> > is just speculation based on a quick overview of the following which i
> > will now review in depth to correct any mistaken notions i might have.
> > If you come across better resources that explain this better please
> > post back.
> > 
> > www.cs.virginia.edu/~jcg8f/GrsecuritySELinuxCaseStudy.pdf
> > 
> > http://forums.grsecurity.net/viewtopic.php?f=1&p=7954
> > 
> > http://www.grsecurity.net/
> > 
> > http://www.nsa.gov/selinux/list-archive/0308/4941.cfm
> > 
> > 
> > Max
> > 
> 
> Although there is some overlap, I believe the two (selinux and
> grsecurity) have many features that are complimentary.  Selinux provides
> containment based on security contexts (labels).  If one were to crash a
> program covered by selinux, the damage would be contained.  The goals of
> grsecrutiy (especially the PaX elements) however, are to make it harder
> to crash that program in the first place.
> 
> Is the Linux kernel community thinking of pulling in some of the
> capabilities that grsecrutiy (especially PaX) offers into the
> kernel...making things like randomization of stack, data, and code space
> a default behavior of the kernel?

Some of that support is already in the mainline kernel these days, and
Red Hat includes Exec Shield in their kernels.  SELinux then supplements
Exec Shield by providing policy control over mmap/mprotect with
PROT_EXEC, enabling one to control the ability to make executable
mappings that are writable.

http://people.redhat.com/drepper/nonselsec.pdf
http://people.redhat.com/drepper/selinux-mem.html
  
-- 
Stephen Smalley
National Security Agency

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux