On Sat, 2009-09-19 at 22:25 +0200, Marco Venutti wrote:


> --[cut]--
>  You forgot to mention SSP (stack-smashing protection). 
> --[cut]--
> 
> I didn't forget it, but I'd like to primarily focus on 
> RSBAC and GR-Sec.

I think thats wrong focus. What makes grsecurity (and gentoo hardened)
interesting is PaX, not the RSBAC. Same is to be said about the
corresponding functionallity in OpenBSD.

Vanilla kernel (and SElinux etc) don't have PaX.

I can recommend you to read up on what PaX does for you. Basicly, PaX
prevent you to exploit vulnerabilities. selinux will only limit what
your successful exploit is allowed to do.

My biggest worries when it comes to PaX (for the moment) is that you
cannot run paravirtualization with PaX.

-nc