Bug#605090: [RFC] Add a grsec featureset to Debian kernels

To: Carlos Alberto Lopez Perez <clopez@igalia.com>, 605090@bugs.debian.org
Cc: gcs@debian.hu
Subject: Bug#605090: [RFC] Add a grsec featureset to Debian kernels
From: Yves-Alexis Perez <corsac@debian.org>
Date: Mon, 09 Jan 2012 15:19:35 +0100
Message-id: <[🔎] 1326118775.6741.15.camel@scapa>
Reply-to: Yves-Alexis Perez <corsac@debian.org>, 605090@bugs.debian.org
In-reply-to: <4EFA9EE0.5060000@igalia.com>
References: <4EFA9EE0.5060000@igalia.com>

On mer., 2011-12-28 at 05:45 +0100, Carlos Alberto Lopez Perez wrote:
> Hello,
> 
> 
> What is the status of this? It has been a looong time ago since last update.

Sorry for the delay. As the BTS doesn't automatically CC the submitter,
please keep me on CC: when replying to this bug.

For sid, I keep updating the kernels from time to time, you can see the
grsec-patches (against the sid svn branch) at
http://anonscm.debian.org/gitweb/ and binary packages can be found at
http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/sid/ (I
don't upload every built kernel there since it's a bit huge.

For squeeze, I'm a bit lagging but I should update both the relevant
branch in grsec-patches and the repository.

I don't give a status update each time I update the repositories in
order not to flood people, and I still hope some positive answer from
the kernel team (until it's obvious it's too late for Wheezy).
> 
> 
> I am also interested in having a Debian kernel with the grsec+pax
> featureset and I am sure that many sysadmins would appreciate this
> possibility. There is a huge user base of grsec from hosting companies.

Thanks for the support.
> 
> 
> I agree that this RBAC thing may be not interesting for everybody giving
> the fact that it duplicates some functionality (we already have SELinux
> and TOMOYO).
> 
> 
> So if you really feel so strong about removing this feature from the
> debian-grsec-kernel it can be easily done just by setting
> CONFIG_GRKERNSEC_NO_RBAC=y in the .config (there is no need to ask
> upstream to split the patch).

This was mostly about upstreaming things, in fact. But disabling an
option doesn't make the patch smaller.
> 
> 
> Anyway I think RBAC is a nice feature and it don't hurts: Its far easier
> to use than SElinux [1] and we already have in Debian the user-space
> tools to work with it:
> 
>   CC'ing Laszlo Boszormenyi
>   (maintainer of linux-patch-grsecurity2, paxctl and gradm2)

Note that linux-patch-grsecurity2 should really be removed now.
> 
> 
> 
> I would like to see this moving forward, so I volunteer myself to help
> with the maintenance of this featureset.
> 
Thanks for that :)
-- 
Yves-Alexis

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: Processed: tagging 655109
Next by Date: Re: [PATCH 1/2] topology: Check for missing CPU devices
Previous by thread: Bug#632432: marked as done (Warnings from apic/apic.c:setup_local_APIC with linux-image-2.6.39-2-686-pae on SuperMicro X8DAi board.)
Next by thread: Re: Bug#645071: WARNING in tty_ldisc_reinit
Index(es):
- Date
- Thread