On Thu, 2008-05-01 at 08:53 -0400, McGuffey, David C. wrote: > > > > > Date: Wed, 30 Apr 2008 12:20:03 -0400 > > From: "max bianco" <maximilianbianco@xxxxxxxxx> > > Subject: Re: Anybody deploy grsecurity on Fedora? > > > > > Have been watching the PaX and grsecurity efforts for a while, but > > > haven't > > > had a need to add them to a Linux box yet...either for a customer, > or in a > > > lab for playing. > > > > > > I noticed that the PaX stuff seems to now be merged into grsecurity. > The > > > most recent release of grsecurity has some interesting security > features > > > I'm interested in testing. > > > > > > > > > > > > Anyone deploy grsecurity on a recent Fedora release (7 or 8) or RHEL > 4 > > > or 5? If so, any problems, lessons learned, or tips? > > > > > > > I haven't used and don't know much about it or its relationship, if > > any , with fedora , I don't think it goes as far as SELinux but that > > is just speculation based on a quick overview of the following which i > > will now review in depth to correct any mistaken notions i might have. > > If you come across better resources that explain this better please > > post back. > > > > www.cs.virginia.edu/~jcg8f/GrsecuritySELinuxCaseStudy.pdf > > > > http://forums.grsecurity.net/viewtopic.php?f=1&p=7954 > > > > http://www.grsecurity.net/ > > > > http://www.nsa.gov/selinux/list-archive/0308/4941.cfm > > > > > > Max > > > > Although there is some overlap, I believe the two (selinux and > grsecurity) have many features that are complimentary. Selinux provides > containment based on security contexts (labels). If one were to crash a > program covered by selinux, the damage would be contained. The goals of > grsecrutiy (especially the PaX elements) however, are to make it harder > to crash that program in the first place. > > Is the Linux kernel community thinking of pulling in some of the > capabilities that grsecrutiy (especially PaX) offers into the > kernel...making things like randomization of stack, data, and code space > a default behavior of the kernel? Some of that support is already in the mainline kernel these days, and Red Hat includes Exec Shield in their kernels. SELinux then supplements Exec Shield by providing policy control over mmap/mprotect with PROT_EXEC, enabling one to control the ability to make executable mappings that are writable. http://people.redhat.com/drepper/nonselsec.pdf http://people.redhat.com/drepper/selinux-mem.html -- Stephen Smalley National Security Agency -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list