[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exec-shield (maybe ITP kernel-patch-exec-shield)


Russell Coker wrote:
> On Tue, 4 Nov 2003 21:29, cobaco wrote:
> > > The exec-shield patch applies with the Debian patches and with LSM.  I am
> > > prepared to maintain it.  Unless someone volunteers to maintain PaX
> > > support for Debian kernels then the best available option for Debian
> > > users will be exec-shield.
> > hm, the adamantix guys use PaX, maybe they ought to be pinged about this?
> Peter Busser is THE Adamantix guy.  I have suggested to him that he maintain 
> such packages in Debian, but he does not seem interested.

A bit late, but I only found out today about this.

You are absolutely right on this, I am not interested in maintaining such a
patch package. Would you maintain a patch package when you can already apt-get
install working kernel-images with everything you need, including PaX? I don't
think so.

It would be somewhat beneficial for Adamantix if PaX was part of the default
Debian kernel source. Inclusion of PaX in the default Debian kernel source
could be a valid reason to cooperate with Debian on this. You didn't ask me
about such a scenario.

> > > I want the users to have as many choices as possible.
> > adamantix also uses RSBAC if I'm not mistaken
> Yes.  I made some RSBAC kernel-patch packages for Debian once, but never 
> uploaded them because no-one was interested in helping to test them.  When 
> no-one wants to test a package you have to assume that there is not much 
> interest in using it either...

A few years ago hardly anyone was interested in mandatory access control. Now
people slowly start to realise that standard Linux is not as secure as people
have been claiming and that patching is not sufficient to keep out of trouble,
this is slowly changing too.

And I think RSBAC has an image that did not appeal to many people. RSBAC does
not try to be sexy, it simply tries to provide good security. And I must say
that it is very good at that job. Some people say that it is intimidating,
because it has so many modules and kernel options. But once you get to know it
a little better, the things make more sense. Different people who used SELinux
before switching to RSBAC told me that they think RSBAC is easier to use than
SELinux. RSBAC will even protect the SELinux modules when 2.6 kernels are
included in Adamantix. :-)

And it is a lot of fun too, of course. Otherwise it would not make sense to do
it. :-)

Peter Busser
The Adamantix Project
Taking high-security Linux out of the labs, and into the real world

Reply to: