1 |
Yiannis wrote: |
2 |
> Hello, |
3 |
> |
4 |
> I am running hardened gentoo with the toolchain provided by the |
5 |
> xake-toolchain overlay. I am looking for a way to use virtualization |
6 |
> with my current config. I am aware of linux-vserver project which has |
7 |
> grsecurity integration, but as far as I remember does not play well |
8 |
> with rbac. Anyone that has a similar working config? |
9 |
> |
10 |
|
11 |
I use hardened host (2.6.29) with vserver. Under this I run hardened |
12 |
guests. All of these are old style hardened (gcc 3.4.6, not the new |
13 |
gcc4 stuff. (As an aside, even uclibc+patches now seems to work ok on |
14 |
gcc4.4.1 + hardened, so I think it's about time we had a push to try and |
15 |
get the hardened profile to shuffle along a bit...) |
16 |
|
17 |
I am not currently using the RBAC features of grsec, but I don't |
18 |
immediately see a reason why they wouldn't work.... I guess it's |
19 |
possible they would need to be implemented in the host rather than the |
20 |
guest (which would feel a bit wierd), but it should still work I guess... |
21 |
|
22 |
All other hardenings seem to work as advertised and generally speaking |
23 |
vserver is a nice lightweight, pseudo virtualisation which is often good |
24 |
enough for your needs... It's really just a slightly more fancy chroot |
25 |
system with some scripts around it and some additional hardening (and |
26 |
all the associated limitations). Xen, etc are the way you want to go if |
27 |
you need full isolation. However, vserver allows you to more neatly |
28 |
overcommit machine resources and has a number of other advantages |
29 |
|
30 |
Good luck |
31 |
|
32 |
Ed W |