1 |
In addition to Grsecurity + PAX you can use SELinux. It's main purpose |
2 |
is to separate daemons and minimize privilege escalation in case of |
3 |
buggy daemon. Each daemon has defined role - set of operations it can do |
4 |
(for example files access, network, capabilities etc.). When someone |
5 |
breaks into such daemon he can do only operations allowed in this |
6 |
daemon's role. |
7 |
|
8 |
There is "Reference policy" - standard policy to be used on SELinux |
9 |
systems. I have one server with it and there are no problems. Most |
10 |
commonly used daemons have good policies. Desktop applications have |
11 |
worse policies, but it shouldn't bother you. |
12 |
|
13 |
Regards, |
14 |
Marek Wróbel |
15 |
-- |
16 |
gentoo-hardened@g.o mailing list |