[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#605090: [RFC] Add a grsec featureset to Debian kernels

On mer., 2011-12-28 at 05:45 +0100, Carlos Alberto Lopez Perez wrote:
> Hello,
> What is the status of this? It has been a looong time ago since last update.

Sorry for the delay. As the BTS doesn't automatically CC the submitter,
please keep me on CC: when replying to this bug.

For sid, I keep updating the kernels from time to time, you can see the
grsec-patches (against the sid svn branch) at
http://anonscm.debian.org/gitweb/ and binary packages can be found at
http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/sid/ (I
don't upload every built kernel there since it's a bit huge.

For squeeze, I'm a bit lagging but I should update both the relevant
branch in grsec-patches and the repository.

I don't give a status update each time I update the repositories in
order not to flood people, and I still hope some positive answer from
the kernel team (until it's obvious it's too late for Wheezy).
> I am also interested in having a Debian kernel with the grsec+pax
> featureset and I am sure that many sysadmins would appreciate this
> possibility. There is a huge user base of grsec from hosting companies.

Thanks for the support.
> I agree that this RBAC thing may be not interesting for everybody giving
> the fact that it duplicates some functionality (we already have SELinux
> and TOMOYO).
> So if you really feel so strong about removing this feature from the
> debian-grsec-kernel it can be easily done just by setting
> CONFIG_GRKERNSEC_NO_RBAC=y in the .config (there is no need to ask
> upstream to split the patch).

This was mostly about upstreaming things, in fact. But disabling an
option doesn't make the patch smaller.
> Anyway I think RBAC is a nice feature and it don't hurts: Its far easier
> to use than SElinux [1] and we already have in Debian the user-space
> tools to work with it:
>   CC'ing Laszlo Boszormenyi
>   (maintainer of linux-patch-grsecurity2, paxctl and gradm2)

Note that linux-patch-grsecurity2 should really be removed now.
> I would like to see this moving forward, so I volunteer myself to help
> with the maintenance of this featureset.
Thanks for that :)

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: