Desktop security

[sjweiler]

I use reiserfs for my main partition. I noticed the hardened-sources/hardened-dev-sources do not have any option to enable security labels on reiserfs but other kernels such as rsbac-sources and gentoo-sources do have that option.
I am looking at hardening my desktop and am stuck between rsbac and grsecurity. Anyone have any input they want to share?
Another thing I looked at was selinux.
Yes, I know about iptables; but I want to harden my desktop beyond what that provides.
I'm definately using PAX no matter which security system I ultimately choose.

[kang]

Hi sjweiler !

Security labels are something SELinux specific [1]. Every filesystem you want to use with SELinux needs to have theses labels.
On hardened sources reiserfs security labels are disabled because it causes problems as far as I know. Other kernels dont explicitely disable it because they're not really the ones you will use with SELinux.

GrSec is usually the easiest one to setup.
RSBAC is really very flexible. You can ask me for any problem with it, I manage this project in Gentoo.

iptables and grsec/rsbac/selinux do not really provide the same kind of security. (even if most give hooks on sockets and networking things)
The three also all support PaX.

I suggest that you read first about what they really are Learn about the security models and the logic being it, then you will understand everything better. They give you more control on what is allowed on your system.

Try the Gentoo documentation first, as well as the webpage of every project.
No Gentoo developper will be able to tell you 'use that' or 'use that', you will have to make your own choice, we can only tell what does what without being subjective (else id say, go use rsbac!

Good luck!

[1] http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0019.html