Re: SELinux on Squeeze?

To: Carlos Alberto Lopez Perez <clopez@igalia.com>
Cc: debian-security@lists.debian.org
Subject: Re: SELinux on Squeeze?
From: Kees de Jong <keesdejong@gmail.com>
Date: Sat, 31 Dec 2011 18:46:21 +0100
Message-id: <[🔎] 1325353581.10276.5.camel@Intrepid.Debnet>
In-reply-to: <[🔎] 4EFF441E.6000805@igalia.com>
References: <[🔎] 4EFD71F0.2040803@googlemail.com> <[🔎] 201112310015.30479.russell@coker.com.au> <[🔎] 4EFDC556.8050707@googlemail.com> <[🔎] 201112311255.48278.russell@coker.com.au> <[🔎] 4EFEF0E6.2000202@googlemail.com> <[🔎] 4EFF441E.6000805@igalia.com>

On Sat, 2011-12-31 at 18:19 +0100, Carlos Alberto Lopez Perez wrote:

On 31/12/11 12:24, Laurentiu Pancescu wrote:
> 
> I think now only grsecurity is available in Debian, providing similar
> functionality (it does much more than exec-shield, but it's also more
> intrusive - not sure if it's even possible to use SELinux at the same
> time). I don't mean this in a bad way, grsecurity seems to boost kernel
> security quite a bit

Meanwhile you don't enable the RBAC part of the grsecurity patch you can
use SELinux with the grsecurity patch.

grsecurity-RBAC is the grsecurity's alternative to SELinux, which I find
far easier and user-friendly to use than SELinux. Here is a nice to read
paper [1] comparing both grsecurity-RBAC and SELinux.

There has been some people pushing for adding a grsecurity featureset
(flavor) to the official Debian kernel. [2] Perhaps some of you would
like to show your support or help pushing for it in order to make it
happen, I definitively would love to see a linux-image-grsecurity in
Debian :)

Regards!

---------
[1] http://www.cs.virginia.edu/~jcg8f/SELinux%20grsecurity%20paper.pdf
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090

I recently had contact with the guy behind cr0.org. He told me that he wasn't very active anymore, but he was planning to work on the 3.1.5 kernel soon.
You can check out the repositories at http://debian.cr0.org/
Perhaps he's interested in having his work integrated into Debian? I can contact him tomorrow via email. I don't know the guy personally.
But I'm willing to pick this one up. Grsec would be a very easy way to improve the kernel security in Debian. SELinux has a bigger learning curve I guess.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- SELinux on Squeeze?
  - From: Laurentiu Pancescu <lpancescu@googlemail.com>
- Re: SELinux on Squeeze?
  - From: Russell Coker <russell@coker.com.au>
- Re: SELinux on Squeeze?
  - From: Laurentiu Pancescu <lpancescu@googlemail.com>
- Re: SELinux on Squeeze?
  - From: Russell Coker <russell@coker.com.au>
- Re: SELinux on Squeeze?
  - From: Laurentiu Pancescu <lpancescu@googlemail.com>
- Re: SELinux on Squeeze?
  - From: Carlos Alberto Lopez Perez <clopez@igalia.com>

Prev by Date: Re: SELinux on Squeeze?
Previous by thread: Re: SELinux on Squeeze?
Next by thread: Re: SELinux on Squeeze?
Index(es):
- Date
- Thread