From: Joshua Brindle <jbrindle@snu.edu>
To: Thomas Bleher <bleher@informatik.uni-muenchen.de>
Cc: SELinux <SELinux@tycho.nsa.gov>
Subject: Re: PaX + selinux integration update
Date: Fri, 27 Feb 2004 23:02:45 -0600 [thread overview]
Message-ID: <404020F5.9080202@snu.edu> (raw)
In-Reply-To: <20040226164707.GC31204@rom.cip.informatik.uni-muenchen.de>
Thomas Bleher wrote:
> * Joshua Brindle <jbrindle@snu.edu> [2004-02-25 21:49]:
>
>>These are the fixed up versions thanks to Chris Pebenito, the kernel
>>patch no longer specifies defaults, so now all decisions come directly
>>from policy.
>>
>>Also the excess amount of denials will not be displayed per policy
>
>
> Great! I think this is really useful work!
Thank you
>
> Do you think there is any chance of integrating your work into PAX? I
> understand that your patch will not go into the kernel in the near future,
> but if it was at least integrated into PAX it would be much more likely
> to be used.
>
The author of PaX doesn't want to add any implementation specific stuff
into mainline (understandably since he works with the grsecurity author
quite a bit) but this is what we are going to do:
We've started a little project called openpax which implements some of
the non-ACL aspects of grsecurity, /proc restrictions, chroot
restrictions, things like that. Not all of them are applicable to
selinux since the policy can take care of it but some are nicer this way
(especially /proc). Regardless, I've added the selinux pax integrations
into openpax, available at http://www.openpax.net or directly at
http://openpax.net/linux-2.6.3-openpax-0.9.patch
Basically we are using this as a testing ground for our Hardened Gentoo
kernels, the configuration we are using is PaX + openpax + SELinux to
provide all the currently supported layers of security.
> I think a lot of people use ExecShield because the patch is not too big
> and supported by RedHat. If PAX with proper SELinux-support was
> available as a single patch more people would consider using it on
> production systems where every additional patch counts.
>
> Thomas
>
Well, too big is fairly irrelavent if it doesn't provide the necessary
protections (IMO) . Furthermore, every single PaX option is optional and
encased in #ifdef's so every additional patch shouldn't count since
nothing unnecessary will end up in the compiled kernel.
Joshua Brindle
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2004-02-28 5:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-02-25 19:34 PaX + selinux integration update Joshua Brindle
2004-02-26 16:47 ` Thomas Bleher
2004-02-28 5:02 ` Joshua Brindle [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=404020F5.9080202@snu.edu \
--to=jbrindle@snu.edu \
--cc=SELinux@tycho.nsa.gov \
--cc=bleher@informatik.uni-muenchen.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.