Re: SELinux on Squeeze?
On 12/31/11 02:55 , Russell Coker wrote:
Support for NX etc is a kernel/hardware issue. AMD64 hardware is more
capable in this regard but there are kernel patches to provide similar
things for i386. I'm not sure of the status of this in Debian.
Debian used to have Exec-shield, Ingo Molnar's patch for older
processors without an NX bit (it used segment limits to emulate this,
but could be worked around by applications or malicious code with a call
to mprotect - SELinux prevents that on Fedora, making Exec-shield
effective). I tested Exec-shield in Debian a few years ago, with and
without SELinux, it makes a big difference:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494408#24
I think now only grsecurity is available in Debian, providing similar
functionality (it does much more than exec-shield, but it's also more
intrusive - not sure if it's even possible to use SELinux at the same
time). I don't mean this in a bad way, grsecurity seems to boost kernel
security quite a bit:
http://labs.mwrinfosecurity.com/notices/assessing_the_tux_strength_part_2_into_the_kernel/
http://etbe.coker.com.au/2011/12/31/server-cracked/
I've just written about that at the above URL. As I note in that post I count
that as a win for SE Linux.
Thanks, just read it. Considering the security record of OpenSSH, a
configuration or administration problem seems more likely in taz's case.
Laurentiu
Reply to: