Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

GRSecurity vs. SELinux
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1261
Location: Idaho, USA
PostPosted: Mon Jan 11, 2010 11:50 am    Post subject: GRSecurity vs. SELinux Reply with quote
Can someone provide sound reason to installing SELinux on top of GRSecurity? It seems that the point of SELinux is to contain a bomb after it goes off. Why not prevent the explosion in the first place? This question, obviously, includes PAX.
_________________
Git has obsoleted SVN.
10mm Auto has obsoleted 45 ACP.
Back to top
View user's profile Send private message
ToeiRei
Veteran
Veteran


Joined: 03 Jan 2005
Posts: 1191
Location: Austria
PostPosted: Mon Jan 11, 2010 1:40 pm    Post subject: Reply with quote
isn't grsecurity part of SELinux?
_________________
Please stand by - The mailer daemon is busy burning your messages in hell...
Back to top
View user's profile Send private message
prometheanfire
Developer
Developer


Joined: 21 Apr 2005
Posts: 87
Location: San Antonio, TX USA
PostPosted: Mon Jan 11, 2010 1:56 pm    Post subject: Reply with quote
grsecurity and selinux are basically competitors.
From my limited knowledge on selinux I don't think it hardens the kernel like grsec does. grsec also has a rsbac system (like selinux but more flexible imo).

Start by reading these.
http://en.wikipedia.org/wiki/Security-Enhanced_Linux
http://en.wikipedia.org/wiki/Grsecurity
_________________
-- Matthew Thode (prometheanfire)
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
PostPosted: Tue Jan 12, 2010 12:17 am    Post subject: Re: GRSecurity vs. SELinux Reply with quote
wswartzendruber wrote:
Can someone provide sound reason to installing SELinux on top of GRSecurity? It seems that the point of SELinux is to contain a bomb after it goes off. Why not prevent the explosion in the first place? This question, obviously, includes PAX.


If you go the traditional "Gentoo Hardened" route, there is none.

as i understand it both grsec and selinux have a set of kernel patches, both have an RBAC mechanism.

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml
(see the bit about selinux options in the kernel)

Bigger point is that grsec DOES have the ability to take care of a bomb after it's already gone off.

They attempt to do basically the same things, just, grsec seems to do it better IMHO.

-both projects offer a set of hardening patches for the kernel
-both projects offer an RBAC mechanism

You could use both selinux/grsec together, but it would be a pain.
And as everyone I've chatted to that has far greater knowledge on the topic than myself...people I trust...have said grsec is the superior solution, I've opted for that. Couple that with some of the demonstrations I've seen from 'spender' showing selinux actually making things WORSE, for me it's a no brainer.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy