RSBAC Grsec Selinux ProPolice and Pax

Archaic archaic at indy.rr.com
Sun Jan 18 04:45:45 PST 2004


On Sun, Jan 18, 2004 at 04:45:43AM -0500, Robert Connolly wrote:
> >
> Its unfortunete for us that they decided to patch on redhat packages, but I'm 
> pretty sure they decided to do that for what they thought was best for the 
> community.

They did what best suited their opinion. Mandrake did the same with
their version. They even say that much of their stuff is ripped from the
Fedora patches and modified to their taste. IOW, unless we want to be
using distro-specific tools, the patches will apparently need rewritten
and I have no idea how deep the Redhat integration is.

> Redhat has one of the larger user groups, which would bring more
> Selinux testers and developers. If they patched on GNU software then
> redhat would need to adapt their patches, making Redhat less likely to
> add or use Selinux. Aswell anyone but LFS would need to modify Selinux
> patches if they were patched for vanilla GNU software, making them
> less standardized, less testable, etc.

I'm confused... are you arguing for switching to redhat stuff to make
the patches apply?

> Selinux can control access of a daemon in chroot better than Grsec.

They both use MAC and RBAC, so what's different? What specifically can
GRSec not do? Is the problem because of the daemon being chrooted?

> Setup properly there is no need for services chroot at all on an
> Selinux system.

That is a hard pill to swallow as any wall can be torn down. I don't
like placing all my eggs in one basket. I think services should be
chrooted to add another layer of security regardless of any other
protection.

-- 
Archaic

Idealism is the noble toga that political gentlemen drape over their
will to power.

- Aldous Huxley




More information about the hlfs-dev mailing list