Re: Value of selinux+grsecurity (was: Re: Anybody deploy grsecurity on Fedora?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2008-05-01 at 08:59 -0400, Stephen Smalley wrote:
> On Thu, 2008-05-01 at 08:53 -0400, McGuffey, David C. wrote:
> > > 
> > > > Date: Wed, 30 Apr 2008 12:20:03 -0400
> > > From: "max bianco" <maximilianbianco@xxxxxxxxx>
> > > Subject: Re: Anybody deploy grsecurity on Fedora?
> > > 
> > > > Have been watching the PaX and grsecurity efforts for a while, but
> > > > haven't
> > > > had a need to add them to a Linux box yet...either for a customer,
> > or in a
> > > > lab for playing.
> > > >
> > > > I noticed that the PaX stuff seems to now be merged into grsecurity.
> > The
> > > > most recent release of grsecurity has some interesting security
> > features
> > > > I'm interested in testing.
> > > >
> > > >
> > > >
> > > > Anyone deploy grsecurity on a recent Fedora release (7 or 8) or RHEL
> > 4
> > > > or 5? If so, any problems, lessons learned, or tips?
> > > >
> > >
> > > I haven't used and don't know much about it or its relationship, if
> > > any , with fedora , I don't think it goes as far as SELinux but that
> > > is just speculation based on a quick overview of the following which i
> > > will now review in depth to correct any mistaken notions i might have.
> > > If you come across better resources that explain this better please
> > > post back.
> > > 
> > > www.cs.virginia.edu/~jcg8f/GrsecuritySELinuxCaseStudy.pdf
> > > 
> > > http://forums.grsecurity.net/viewtopic.php?f=1&p=7954
> > > 
> > > http://www.grsecurity.net/
> > > 
> > > http://www.nsa.gov/selinux/list-archive/0308/4941.cfm
> > > 
> > > 
> > > Max
> > > 
> > 
> > Although there is some overlap, I believe the two (selinux and
> > grsecurity) have many features that are complimentary.  Selinux provides
> > containment based on security contexts (labels).  If one were to crash a
> > program covered by selinux, the damage would be contained.  The goals of
> > grsecrutiy (especially the PaX elements) however, are to make it harder
> > to crash that program in the first place.
> > 
> > Is the Linux kernel community thinking of pulling in some of the
> > capabilities that grsecrutiy (especially PaX) offers into the
> > kernel...making things like randomization of stack, data, and code space
> > a default behavior of the kernel?
> 
> Some of that support is already in the mainline kernel these days, and
> Red Hat includes Exec Shield in their kernels.  SELinux then supplements
> Exec Shield by providing policy control over mmap/mprotect with
> PROT_EXEC, enabling one to control the ability to make executable
> mappings that are writable.
> 
> http://people.redhat.com/drepper/nonselsec.pdf
> http://people.redhat.com/drepper/selinux-mem.html

Also, see:
http://www.awe.com/mark/blog/200801070918.html

-- 
Stephen Smalley
National Security Agency

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux