What is easier to learn/setup GRsecurity or SELinux?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've never worked on Lids or GRsecurity. As far as SELinux is concerned it comes by default in RHEL (during installation) and from what I know is pretty seriously developed/initiated by the Red Hat folks.
As far as learning goes, its pretty much easy to comprehend/understand and in most cases you wont even have to touch any settings. There's good documentation available on it too. If you plan to setup SELinux on RHEL, do it on RHEL5 instead of RHEL4 (SELinux in RHEL4 appeared broken to us in many places).
Fedora receives latest development so for educational purposes I would recommend it. SELinux is in upstream kernel that's why it is IMHO most promising for the future and that's why Red Hat work with/on it.
selinux is already setup on most distros. For the grsecurity it seems you need to patch kernel. Not sure about grsecurity but doesn't seem too mature.
Of course you'd better try both and see what goes easier/better for you. If you want to be on the safe side, SELinux is obviously the answer with existing user base and great promises for the future. No idea, grsecurity may or may not be accepted in linux kernel but nobody can guarantee you anything.
I'm not implying anybody can guarantee you anything about whatever...
Not sure about grsecurity but doesn't seem too mature.
Grsecurity was started in Feb. 2001 w/ kernel version 2.4.1. And not to be rude but i would say that it is pretty mature. Selinux was released on Dec. 22, 2000.
Selinux is about 3 months older than grsecurity.
As others have said it depends what the goal is. SELinux is good but is lacking certain things that are blocked by the use of LSM. If LSM does not have a hook for a feature then selinux can't protect it. Grsecurity is a kernel patch that does not use LSM so it is not limited to the same constraints.
Here is some reading about problems that LSM introduce and why grsecurity does not use it.
on a more personal note. I have used/currently use both Grsecurity and SELinux. I also have one machine running kernel protection from grsecurity and policy from selinux.
If you have a need for the one shortfall of grsecurity, MLS, (at least that i have found) then selinux is the way to go. (Hence the hybrid above) Otherwise I personally feel that grsecurity can provide much better access control and kernel restrictions. Not to forget _FULL_ pax protection that is included in grsecurity.
look up spendergrsec user channel on youtube. He displays numerous kernel vulns. that either relate to SELinux or the severity of the vuln. is increased by the presence of SELinux.
Quote:
Originally Posted by avalonit
SELinux is obviously the answer with existing user base and great promises for the future
If we assume this then we could also assume that windows is better than linux because of its "existing user base and great promises for the future".
although not familiar with grsecurity, my point was that selinux is upstream and grsecurity is not. I have seen great tech die never being accepted upstream so for certain SELinux is more promising. As well being shipped with gentoo doesn't mean you don't have to compile your kernel a grsecurity patch is included with Debian and I guess such patches are available for various other distros, but you still have to compile kernel.
I'm not saying though that it will never be accepted or any other suggestions about grsecurity features. I'll be happy if you show somebody is working on getting grsecurity upstream!
Your comparisons with windows and date of first release are meaningless to me btw. Of course windows will most probably live a lot of time with its great user base, which doesn't mean linux will not (moreover linux is having a great userbase nowadays). And date of release is a bad guarantee for maturity although maturity depends on time and usually is getting better with time (not implying grsecurity is immature nor mature).
Actually for a long time grsecurity was much more mature then selinux. SELinux was lacking greatly until a few years ago. red hat did not even enable it by default until RHEL 4, even though it was added to the mainline in 2003. I know alot of people that feel that SELinux made it into the kernel mainline because NSA developed it and pushed for it to get into the kernel and red hat took it because of similar reasons.
there are a few more but i dont have time to go through git and find them.
Quote:
Originally Posted by avalonit
Your comparisons with windows and date of first release are meaningless to me btw. Of course windows will most probably live a lot of time with its great user base, which doesn't mean linux will not (moreover linux is having a great userbase nowadays). And date of release is a bad guarantee for maturity although maturity depends on time and usually is getting better with time (not implying grsecurity is immature nor mature).
But before that you said
"SELinux is obviously the answer with existing user base and great promises for the future"
so the windows comparison is a very relevent comparison in this case. And the release dates are factual data which is not based on personal assumption so while they are meaningless to you i am guessing that it will assist the OP in his decision making
I was trying in my last post to properly inform the OP as well as teach others not to post on things which they may have little knowledge of and to refrain from making assumptions with little to no facts. The current count of Registered Members is 427,123. There is almost always someone on here that has working knowledge of the application for the question being asked.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
a grsecurity patch is included with Debian and I guess such patches are available for various other distros, but you still have to compile kernel.
