1 |
El jue, 05-05-2005 a las 11:35 +0100, pageexec@××××××××.hu escribió: |
2 |
> > I've two servers running with hardened-sources and GRSecurity + PAX |
3 |
> > enabled and anything went fine. Two other servers running |
4 |
> > hardened-sources with SELinux and GRSecurity + PAX I always get PAX |
5 |
> > errors when I want to install something through emerge. |
6 |
> |
7 |
> humm, how do selinux/grsec coexist at all? |
8 |
|
9 |
SELinux and grsecurity (subsequently, PaX too, using the *currently* |
10 |
unavailable, or missing hooks as of hardened-sources-2.6.11-r1, though |
11 |
you can use 'direct' integration) can coexist, but you can't use |
12 |
grsecurity's RBAC, only it's "general" features. |
13 |
|
14 |
The performance hit may be just a bit bigger than the one that you can |
15 |
have by just using SELinux or grsecurity alone, but the consistency of |
16 |
the system makes worthy such overhead (indeed, you can supply most of |
17 |
grsecurity's "general" features by using a correct configuration of the |
18 |
policy, ie. preventing programs to access /proc files of other domains, |
19 |
using the strict policy for preventing the "path walking" of untrusted |
20 |
filesystem links, etc). |
21 |
|
22 |
Cheers, |
23 |
-- |
24 |
Lorenzo Hernández García-Hierro <lorenzo@×××.org> |
25 |
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org] |
26 |
|
27 |
-- |
28 |
gentoo-hardened@g.o mailing list |