On Thu, 2008-05-01 at 08:59 -0400, Stephen Smalley wrote: > On Thu, 2008-05-01 at 08:53 -0400, McGuffey, David C. wrote: > > > > > > > Date: Wed, 30 Apr 2008 12:20:03 -0400 > > > From: "max bianco" <maximilianbianco@xxxxxxxxx> > > > Subject: Re: Anybody deploy grsecurity on Fedora? > > > > > > > Have been watching the PaX and grsecurity efforts for a while, but > > > > haven't > > > > had a need to add them to a Linux box yet...either for a customer, > > or in a > > > > lab for playing. > > > > > > > > I noticed that the PaX stuff seems to now be merged into grsecurity. > > The > > > > most recent release of grsecurity has some interesting security > > features > > > > I'm interested in testing. > > > > > > > > > > > > > > > > Anyone deploy grsecurity on a recent Fedora release (7 or 8) or RHEL > > 4 > > > > or 5? If so, any problems, lessons learned, or tips? > > > > > > > > > > I haven't used and don't know much about it or its relationship, if > > > any , with fedora , I don't think it goes as far as SELinux but that > > > is just speculation based on a quick overview of the following which i > > > will now review in depth to correct any mistaken notions i might have. > > > If you come across better resources that explain this better please > > > post back. > > > > > > www.cs.virginia.edu/~jcg8f/GrsecuritySELinuxCaseStudy.pdf > > > > > > http://forums.grsecurity.net/viewtopic.php?f=1&p=7954 > > > > > > http://www.grsecurity.net/ > > > > > > http://www.nsa.gov/selinux/list-archive/0308/4941.cfm > > > > > > > > > Max > > > > > > > Although there is some overlap, I believe the two (selinux and > > grsecurity) have many features that are complimentary. Selinux provides > > containment based on security contexts (labels). If one were to crash a > > program covered by selinux, the damage would be contained. The goals of > > grsecrutiy (especially the PaX elements) however, are to make it harder > > to crash that program in the first place. > > > > Is the Linux kernel community thinking of pulling in some of the > > capabilities that grsecrutiy (especially PaX) offers into the > > kernel...making things like randomization of stack, data, and code space > > a default behavior of the kernel? > > Some of that support is already in the mainline kernel these days, and > Red Hat includes Exec Shield in their kernels. SELinux then supplements > Exec Shield by providing policy control over mmap/mprotect with > PROT_EXEC, enabling one to control the ability to make executable > mappings that are writable. > > http://people.redhat.com/drepper/nonselsec.pdf > http://people.redhat.com/drepper/selinux-mem.html Also, see: http://www.awe.com/mark/blog/200801070918.html -- Stephen Smalley National Security Agency -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
