| 1 |
I would like to thank frogger for taking the time to put together |
| 2 |
hardened-sources-r3 for us (good work frogger) |
| 3 |
|
| 4 |
-r3 introduces the grsecurity-2.0-pre4-2.4.20.patch which has |
| 5 |
some very cool/needed new features for us grsecuirty users such as role |
| 6 |
based access control, variable support within acls including unions, |
| 7 |
intersections, differences of sets, and an learning device,daemon as |
| 8 |
well as nested subjects. All these features plus what it already had |
| 9 |
should make grsecurity2 the most well rounded complete host based |
| 10 |
security solution available for linux to date. |
| 11 |
|
| 12 |
These new features should be transparent to our users not using the |
| 13 |
access control list features of grsecurity, however for those of that |
| 14 |
will be be using them we have a few things to consider. |
| 15 |
|
| 16 |
First grsecurity 2 has not been officialy released yet, and no |
| 17 |
documentation exists for these features of grsecuity2 outside of the |
| 18 |
grsec mailing list itself. |
| 19 |
|
| 20 |
Second item is gradm itself, |
| 21 |
<=gradm-2 installs to /sbin/gradm and reads /etc/grsec/acl |
| 22 |
>gradm-2 also installs to /sbin/gradm and also reads /etc/grsec/acl |
| 23 |
But they dont play together well at all, and if we were to park gradm2 |
| 24 |
which is really gradm in sys-apps/gradm It would always get prefered |
| 25 |
over gradm-1.9.x when ~arch is set. This would affect users using |
| 26 |
gentoo-sources. I dont want to introduce another apache{1,2} SLOT type |
| 27 |
of mess. |
| 28 |
|
| 29 |
My simple solution would be to park gradm 2 in sys-apps/gradm2, install |
| 30 |
gradm 2 as /sbin/gradm2 with /etc/grsec2/acl and leave it this way |
| 31 |
untill grsecurity1 becomes deprecated. This would allow people to have |
| 32 |
both systems installed without any conflict. (Any comments before it |
| 33 |
gets set in stone?) |
| 34 |
|
| 35 |
-- |
| 36 |
Ned Ludd <solar@g.o> |
| 37 |
Gentoo Linux (Hardened) |
| 38 |
|
| 39 |
|
| 40 |
-- |
| 41 |
gentoo-hardened@g.o mailing list |
Archives