| 1 |
El jue, 05-05-2005 a las 11:35 +0100, pageexec@××××××××.hu escribió: |
| 2 |
> > I've two servers running with hardened-sources and GRSecurity + PAX |
| 3 |
> > enabled and anything went fine. Two other servers running |
| 4 |
> > hardened-sources with SELinux and GRSecurity + PAX I always get PAX |
| 5 |
> > errors when I want to install something through emerge. |
| 6 |
> |
| 7 |
> humm, how do selinux/grsec coexist at all? |
| 8 |
|
| 9 |
SELinux and grsecurity (subsequently, PaX too, using the *currently* |
| 10 |
unavailable, or missing hooks as of hardened-sources-2.6.11-r1, though |
| 11 |
you can use 'direct' integration) can coexist, but you can't use |
| 12 |
grsecurity's RBAC, only it's "general" features. |
| 13 |
|
| 14 |
The performance hit may be just a bit bigger than the one that you can |
| 15 |
have by just using SELinux or grsecurity alone, but the consistency of |
| 16 |
the system makes worthy such overhead (indeed, you can supply most of |
| 17 |
grsecurity's "general" features by using a correct configuration of the |
| 18 |
policy, ie. preventing programs to access /proc files of other domains, |
| 19 |
using the strict policy for preventing the "path walking" of untrusted |
| 20 |
filesystem links, etc). |
| 21 |
|
| 22 |
Cheers, |
| 23 |
-- |
| 24 |
Lorenzo Hernández García-Hierro <lorenzo@×××.org> |
| 25 |
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org] |
| 26 |
|
| 27 |
-- |
| 28 |
gentoo-hardened@g.o mailing list |
Archives