[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SELinux on Squeeze?



On Sat, 31 Dec 2011, Laurentiu Pancescu <lpancescu@googlemail.com> wrote:
> effective). I tested Exec-shield in Debian a few years ago, with and 
> without SELinux, it makes a big difference:

I just did a quick test on an i386 system with PAE running a 686 Squeeze 
kernel.

SE Linux enforcing vs permissive made no difference to paxtest results with a 
default configuration.  But when I was in enforcing mode and defined an 
account with user_t as the default domain (instead of unconfined_t) the test 
"Writable text segments" was no longer reported as vulnerable.

> I think now only grsecurity is available in Debian, providing similar
> functionality (it does much more than exec-shield, but it's also more
> intrusive - not sure if it's even possible to use SELinux at the same
> time). I don't mean this in a bad way, grsecurity seems to boost kernel
> security quite a bit:

The Gentoo guys integrated PAX and SE Linux.  When you think of non-exec stack 
and GRSecurity you are thinking of PAX.

> http://labs.mwrinfosecurity.com/notices/assessing_the_tux_strength_part_2_i
> nto_the_kernel/

Interesting article, it doesn't make Debian look good.  :(

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/


Reply to: