RSBAC Grsec Selinux ProPolice and Pax

Archaic archaic at
Sat Jan 17 19:31:07 PST 2004

On Mon, Jan 12, 2004 at 04:39:03AM -0500, Robert Connolly wrote:
> RSBAC and Grsec are each only supported by 1 developer.

Officially. But patches are contributed by the community, so I
personally negate that argument.

> Selinux has several large companies (immunix, redhat), a gov't agency
> support, and is the best doccumented.

Documentation is good, but secondary to performance. The redhat/immunix
support does help, but the gov't support doesn't. If they really were
such security experts, why the relatively recent switch to Linux over
Windows. Even much of their ongoing research into tactical field
stations is still built on Windows. Also, the gov't hasn't freely
licensed it. They just opened the code because they were smart enough to
realize they didn't have a monopoly on security developers.

So a nod to docs, IMO.

> Selinux is also able to work with Pax.

So is GRSec, so I negate that argument, as well.

> I think Selinux has a better life expectency.

Perhaps, but Windows has good life expectancy. Besides, GRSec isn't
exactly a new project.

> I didn't look into OpenWall.

GRSec covers and extends the functionality of OpenWall. I don't think
there is anything missed which would make OpenWall useful if using
GRSec. Please clue me in if I hit the mark.

> Grsec doesn't replace propolice.

Neither does SELinux.

> Pax/Grsec doesn't stop a return to libc attack, Pax does however
> _prevent_ it by using a random function.

Are we talking about GRSec vs SELinux or vs propolice?

So, giving a nod to documentation and possibly a wink to redhat
involvement (some are testing GRSec as well), is there any other reason
to use SELinux over GRSec? If not, then, I guess things will come down
to trial and error with both systems (identical otherwise).

Now, for reasons to use GRSec.. SELinux is a pain in the rear. I got
frustrated quite quickly. Though I haven't spent anytime on GRSec, it's
got to be easier than SELinux.

Anyone who has used one or the other should chime in. Anyone who has
used both should shout! :)


"The power to tax involves the power to destroy;...the power to destroy
may defeat and render useless the power to create...."

- Chief Justice John Marshall, 1819.

More information about the hlfs-dev mailing list