[rsbac] RSBAC & Molnar Ingo's ExecShield

Deim Agoston ago at lsc.hu
Tue Dec 7 08:12:17 CET 2004 

Michal Purzynski <albeiro at zeus.polsl.gliwice.pl> irta:
> PaX team does not provide official support for 2.6 kernel considering them
> unstable development version. Emergency like this - moving from PaX to
I know it. One of my friends, GCS - gcs aT lsc DoT hu - migrates the
grsecurity+ pax patches to debian kernels. He and the Hungarian guy
change emails so more or less I know the reasons why the newer 2.6
kernels lack the support of pax. But that's not me who is in question
but our partners.

> ExecShield and back will only calm down you but will not provide any
> security. That is because ExecShield protections can be bypassed and ways
> of doing this are known. It is advised to stay with stable series (2.4
> kernels) on most important machines.
Oh, yes but if you work with RH Enterpise versions - I suspect you do so
- you have to know what's the official statements of RH support: you can
not patch there official enterprise kernels. (you loose official support
and some kind of CTO needs to know that they have official support from
some kind of sw vendor) That's one of the reasons
why I didn't release any comaprsions of SELinux and RSBAC and grsecurity.
(other reason is that it turned out that our partner considered it
"dangerous if anybody has the possibility to figure out what versions of
software they use and how" - stupidity but money talks, so it stood
on-site)
<lament>
If our partner says he need some kind of security
and read something about SELinux and ExecShield in the leaflets from 
RH than I have to use ExecShield and SELinux. And if I have to use 
execshield I don't want to duplicate my efforts so I would stay with
it with the RSBAC patched of kernels if it's released more often and the
partners need some kind of memory protection along with 2.6.x kernel.
Again: money talks. The engineer can advise but he doesn't decide.....
Ok, it has the advantege that you don't have to provide any
responsibility and you can write it down in your contract. </lament>

bye,
Ago
> 
> Albeiro
> 
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

-- 

-----------
Deim Ágoston
LSC Linux Support Center Kft.
e-mail: deim.agoston at lsc.hu
Tel/fax:06-1/341-0457

More information about the rsbac mailing list