Re: exec-shield (maybe ITP kernel-patch-exec-shield)
On Fri, 28 Nov 2003, Peter Busser wrote:
> > I for one, do (especially since I have Russell's word that it would work
> > quite well along with SE Linux).
> It is nice to hear that Russell changed his mind after the previous dicussion.
I am not implying he said PaX would not need patch merge changes to apply,
mind you. Just that PaX would enhance the security of a SELinux system, and
that the two can conceptually work well together.
> Debian testing worked on a test system with the Adamantix kernel-image package
> (which obviously includes PaX with the most restrictive settings enabled). X
> breaks, but it breaks on exec-shield too.
This is the kind of thing that would make the adoption slow. We'd need to
fix it, and fix it properly.
> meet high levels of assurance anyway. But as someone else pointed out already,
> the risk for backdoors in important packages is too big in the long run.
To fix that you just need a QA layer, like progenity had.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot