[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SELinux on Squeeze?



On 12/31/11 02:55 , Russell Coker wrote:
Support for NX etc is a kernel/hardware issue. AMD64 hardware is more capable in this regard but there are kernel patches to provide similar things for i386. I'm not sure of the status of this in Debian.
Debian used to have Exec-shield, Ingo Molnar's patch for older processors without an NX bit (it used segment limits to emulate this, but could be worked around by applications or malicious code with a call to mprotect - SELinux prevents that on Fedora, making Exec-shield effective). I tested Exec-shield in Debian a few years ago, with and without SELinux, it makes a big difference:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494408#24

I think now only grsecurity is available in Debian, providing similar functionality (it does much more than exec-shield, but it's also more intrusive - not sure if it's even possible to use SELinux at the same time). I don't mean this in a bad way, grsecurity seems to boost kernel security quite a bit:

http://labs.mwrinfosecurity.com/notices/assessing_the_tux_strength_part_2_into_the_kernel/
http://etbe.coker.com.au/2011/12/31/server-cracked/

I've just written about that at the above URL.  As I note in that post I count
that as a win for SE Linux.

Thanks, just read it. Considering the security record of OpenSSH, a configuration or administration problem seems more likely in taz's case.

Laurentiu


Reply to: