RSBAC Grsec Selinux ProPolice and Pax

Robert Connolly cendres at
Sun Jan 18 01:45:43 PST 2004

On January 17, 2004 10:31 pm, Archaic wrote:
> On Mon, Jan 12, 2004 at 04:39:03AM -0500, Robert Connolly wrote:
> > RSBAC and Grsec are each only supported by 1 developer.
> Officially. But patches are contributed by the community, so I
> personally negate that argument.
> > Selinux has several large companies (immunix, redhat), a gov't agency
> > support, and is the best doccumented.
> Documentation is good, but secondary to performance. The redhat/immunix
> support does help, but the gov't support doesn't. If they really were
> such security experts, why the relatively recent switch to Linux over
> Windows. Even much of their ongoing research into tactical field
> stations is still built on Windows. Also, the gov't hasn't freely
> licensed it. They just opened the code because they were smart enough to
> realize they didn't have a monopoly on security developers.

Libselinux is distributed by the NSA under the Public Domain dedication. Its 
more free than the GPL.

Its unfortunete for us that they decided to patch on redhat packages, but I'm 
pretty sure they decided to do that for what they thought was best for the 
community. Redhat has one of the larger user groups, which would bring more 
Selinux testers and developers. If they patched on GNU software then redhat 
would need to adapt their patches, making Redhat less likely to add or use 
Selinux. Aswell anyone but LFS would need to modify Selinux patches if they 
were patched for vanilla GNU software, making them less standardized, less 
testable, etc.

> So, giving a nod to documentation and possibly a wink to redhat
> involvement (some are testing GRSec as well), is there any other reason
> to use SELinux over GRSec? If not, then, I guess things will come down
> to trial and error with both systems (identical otherwise).

Selinux can control access of a daemon in chroot better than Grsec. Setup 
properly there is no need for services chroot at all on an Selinux system.

As far as preformance it's apples and oranges. Grsec and Selinux do things the 
other does not. If they were both compared Grsec would be slower mainly due 
to Pax, but posibly for other reasons.

I seem to have acl and selinux seperated from redhat's package. The diff file 
is over 5megs (384kb compressed). The true differences are no where near 
5megs, so the patch will need to be refined. I dropped the Pam and ncurses 
dependency from it.

More information about the hlfs-dev mailing list