Hi, You might be talking about grsecurity and PaX [1]. SELinux hooks through the LSM [2] framework. LSM was designed to be easily enabled and disabled, so that should be a fundamental flaw. LSM has valid criticisms [3] [4].
[1] <http://grsecurity.net> [2] <http://en.wikipedia.org/wiki/Linux_Security_Modules> [3] <http://www.grsecurity.net/lsm.php> [4] <http://www.rsbac.org/documentation/why_rsbac_does_not_use_lsm> Cheers, Ed On 9/23/07, Darrin Chandler <[EMAIL PROTECTED]> wrote: > On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote: > > Linux has SELinux in its 2.6 kernel and debian has gone ahead and > > compiled SELinux into the libraries, although the SELinux policies > > aren't ready on debian yet. The whole focus seems to be to make Linux > > "more secure". I'm not sure what to make of it. I figure that if you > > want secure, you switch to OBSD. > > > > Could someone who knows both the details of OBSDs security enhancements > > and the details of SELinux comment? > > I don't know all the details, and especially not the SELinux details, > but that won't stop me from commenting. > > Not long ago I was talking with a Linux person about security, and they > pointed me to a set of patches that did a lot of nifty stuff. Good > stuff, like the things you find OpenBSD doing. But it's not in the > mainline kernel, it's a set of patches. > > Security should not be grafted on, it should be integrated into the > main development process. I'm sure the patch maintainers are doing their > best, but this doesn't change the fundamental flaw in the process. It's > not a flaw of their making, it's inherent in the situation. But it's > still a flaw. > > Compare that to a complete operating system (OpenBSD) where security is part > of > code quality, and part of the normal mainline development. > > -- > Darrin Chandler | Phoenix BSD User Group | MetaBUG > [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ > http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
