Value of selinux+grsecurity (was: Re: Anybody deploy grsecurity on Fedora?)

Stephen Smalley sds at tycho.nsa.gov
Thu May 1 12:59:54 UTC 2008 

On Thu, 2008-05-01 at 08:53 -0400, McGuffey, David C. wrote:
> > 
> > > Date: Wed, 30 Apr 2008 12:20:03 -0400
> > From: "max bianco" <maximilianbianco at gmail.com>
> > Subject: Re: Anybody deploy grsecurity on Fedora?
> > 
> > > Have been watching the PaX and grsecurity efforts for a while, but
> > > haven't
> > > had a need to add them to a Linux box yet...either for a customer,
> or in a
> > > lab for playing.
> > >
> > > I noticed that the PaX stuff seems to now be merged into grsecurity.
> The
> > > most recent release of grsecurity has some interesting security
> features
> > > I'm interested in testing.
> > >
> > >
> > >
> > > Anyone deploy grsecurity on a recent Fedora release (7 or 8) or RHEL
> 4
> > > or 5? If so, any problems, lessons learned, or tips?
> > >
> >
> > I haven't used and don't know much about it or its relationship, if
> > any , with fedora , I don't think it goes as far as SELinux but that
> > is just speculation based on a quick overview of the following which i
> > will now review in depth to correct any mistaken notions i might have.
> > If you come across better resources that explain this better please
> > post back.
> > 
> > www.cs.virginia.edu/~jcg8f/GrsecuritySELinuxCaseStudy.pdf
> > 
> > http://forums.grsecurity.net/viewtopic.php?f=1&p=7954
> > 
> > http://www.grsecurity.net/
> > 
> > http://www.nsa.gov/selinux/list-archive/0308/4941.cfm
> > 
> > 
> > Max
> > 
> 
> Although there is some overlap, I believe the two (selinux and
> grsecurity) have many features that are complimentary.  Selinux provides
> containment based on security contexts (labels).  If one were to crash a
> program covered by selinux, the damage would be contained.  The goals of
> grsecrutiy (especially the PaX elements) however, are to make it harder
> to crash that program in the first place.
> 
> Is the Linux kernel community thinking of pulling in some of the
> capabilities that grsecrutiy (especially PaX) offers into the
> kernel...making things like randomization of stack, data, and code space
> a default behavior of the kernel?

Some of that support is already in the mainline kernel these days, and
Red Hat includes Exec Shield in their kernels.  SELinux then supplements
Exec Shield by providing policy control over mmap/mprotect with
PROT_EXEC, enabling one to control the ability to make executable
mappings that are writable.

http://people.redhat.com/drepper/nonselsec.pdf
http://people.redhat.com/drepper/selinux-mem.html
  
-- 
Stephen Smalley
National Security Agency

More information about the fedora-list mailing list