On 2016-01-19 20:54, Yves-Alexis Perez wrote:
Note, as the blog post says, that it's *secure* default, because each
and
every use is different, and people have to make their own choices. It
might
make sense to ship multiple config files (or rather, have different
packages),
like “desktop” or “server” but:
- no config will fit everyone anyway
- there will be requests for tuning this or that on this or that config
- there will be requests for adding new “profiles”
Agreed so maybe this isn't the best approach.
So at one point one should draw a line. It's dead easy to edit the
config, so
one has just to make sure people can find the information. I don't
really want
to make a debconf script for that, but it could be a possibility too.
After testing in KVM with custom settings the VM couldn't boot. Can you
please compile the grsec patch with host virtualization (KVM) support?
Offtopic: Also enabling RBAC would be nice for people who want to play
around with it and create profiles and one day upstream their efforts.
It doesn't conflict with LSM MACs in any way.
I'm not involved in any paxctld effort so I couldn't say. But I'm
unsure if
it'd make sense to have the config file in linux-grsec-base rather than
in a
paxctld package.
OK.
Regards,
