# Kernel Security, Rsbac, Grsec, SELinux?

## cuerty

Hi, I was wondering wath Kernel-side access control envirovement does gentoo ppl prefer?

It's for a work that I'm gonna do. Thanks.

Rsbac: http://www.rsbac.org/

Grsecurity: http://www.grsecurity.net/

SELinux: http://www.nsa.gov/selinux/

----------

## Method

see http://www.gentoo.org/proj/en/hardened

we support Grsec and SELinux

there are no plans to support rsbac

----------

## kang__

http://bugs.breakmygentoo.net/show_bug.cgi?id=270

its here

----------

## Method

yes, that is the kernel patch but the kernel patch will do absolutely zero good without the accompanying policies, docs, etc

----------

## andreask

Hi!

Will gentoo focus on grsec _or_ selinux in future, or both?

Don't we need "Rsbac" because selinux and/or grsec offer own RBACs which are "good enough"? (as I saw today grsec-sources were switched to grsec 2 [with new RBAC-features] since kernel 2.4.26!)

If I am looking for a kernel to run an a server which should be very secure(running a Apache(ssl)/PostgreSQL/SSH), stable and high available, what would you recommend to use?

I think grsec-sources are known to be very stable, what could be the advantage of taking hardened-sources? Perhaps I will need it if I want to use "Propolice..." - but is this stable enough to run on important servers?

So I need hardened-sources if I wand to use hardened-sources, hardened-gcc...? 

There is more and more about selinux, do you think it is the better alternative to use with hardened-sources?

regards,

Andreas

----------

## justanothergentoofanatic

Here is an alternate viewpoint - there is no evidence that any of these patches actually make a linux system more secure. Most of them are very poorly tested and can be described as pre-beta quality at best. They also tend to alter the kernel at a fairly deep level. 

The 'infinite eyes makes all bugs shallow' theory of software design tends to support the idea that whatever everyone else is running is likely to be more stable and secure.

Just a thought,

-Mike

----------

