| 1 |
In addition to Grsecurity + PAX you can use SELinux. It's main purpose |
| 2 |
is to separate daemons and minimize privilege escalation in case of |
| 3 |
buggy daemon. Each daemon has defined role - set of operations it can do |
| 4 |
(for example files access, network, capabilities etc.). When someone |
| 5 |
breaks into such daemon he can do only operations allowed in this |
| 6 |
daemon's role. |
| 7 |
|
| 8 |
There is "Reference policy" - standard policy to be used on SELinux |
| 9 |
systems. I have one server with it and there are no problems. Most |
| 10 |
commonly used daemons have good policies. Desktop applications have |
| 11 |
worse policies, but it shouldn't bother you. |
| 12 |
|
| 13 |
Regards, |
| 14 |
Marek Wróbel |
| 15 |
-- |
| 16 |
gentoo-hardened@g.o mailing list |
Archives