1 |
I would like to thank frogger for taking the time to put together |
2 |
hardened-sources-r3 for us (good work frogger) |
3 |
|
4 |
-r3 introduces the grsecurity-2.0-pre4-2.4.20.patch which has |
5 |
some very cool/needed new features for us grsecuirty users such as role |
6 |
based access control, variable support within acls including unions, |
7 |
intersections, differences of sets, and an learning device,daemon as |
8 |
well as nested subjects. All these features plus what it already had |
9 |
should make grsecurity2 the most well rounded complete host based |
10 |
security solution available for linux to date. |
11 |
|
12 |
These new features should be transparent to our users not using the |
13 |
access control list features of grsecurity, however for those of that |
14 |
will be be using them we have a few things to consider. |
15 |
|
16 |
First grsecurity 2 has not been officialy released yet, and no |
17 |
documentation exists for these features of grsecuity2 outside of the |
18 |
grsec mailing list itself. |
19 |
|
20 |
Second item is gradm itself, |
21 |
<=gradm-2 installs to /sbin/gradm and reads /etc/grsec/acl |
22 |
>gradm-2 also installs to /sbin/gradm and also reads /etc/grsec/acl |
23 |
But they dont play together well at all, and if we were to park gradm2 |
24 |
which is really gradm in sys-apps/gradm It would always get prefered |
25 |
over gradm-1.9.x when ~arch is set. This would affect users using |
26 |
gentoo-sources. I dont want to introduce another apache{1,2} SLOT type |
27 |
of mess. |
28 |
|
29 |
My simple solution would be to park gradm 2 in sys-apps/gradm2, install |
30 |
gradm 2 as /sbin/gradm2 with /etc/grsec2/acl and leave it this way |
31 |
untill grsecurity1 becomes deprecated. This would allow people to have |
32 |
both systems installed without any conflict. (Any comments before it |
33 |
gets set in stone?) |
34 |
|
35 |
-- |
36 |
Ned Ludd <solar@g.o> |
37 |
Gentoo Linux (Hardened) |
38 |
|
39 |
|
40 |
-- |
41 |
gentoo-hardened@g.o mailing list |