# GRSecurity vs. SELinux

## wswartzendruber

Can someone provide sound reason to installing SELinux on top of GRSecurity?  It seems that the point of SELinux is to contain a bomb after it goes off.  Why not prevent the explosion in the first place?  This question, obviously, includes PAX.

----------

## ToeiRei

isn't grsecurity part of SELinux?

----------

## prometheanfire

grsecurity and selinux are basically competitors.

From my limited knowledge on selinux I don't think it hardens the kernel like grsec does.  grsec also has a rsbac system (like selinux but more flexible imo).

Start by reading these.

http://en.wikipedia.org/wiki/Security-Enhanced_Linux

http://en.wikipedia.org/wiki/Grsecurity

----------

## cach0rr0

 *wswartzendruber wrote:*   

> Can someone provide sound reason to installing SELinux on top of GRSecurity?  It seems that the point of SELinux is to contain a bomb after it goes off.  Why not prevent the explosion in the first place?  This question, obviously, includes PAX.

 

If you go the traditional "Gentoo Hardened" route, there is none. 

as i understand it both grsec and selinux have a set of kernel patches, both have an RBAC mechanism. 

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml

(see the bit about selinux options in the kernel)

Bigger point is that grsec DOES have the ability to take care of a bomb after it's already gone off. 

They attempt to do basically the same things, just, grsec seems to do it better IMHO. 

-both projects offer a set of hardening patches for the kernel

-both projects offer an RBAC mechanism

You could use both selinux/grsec together, but it would be a pain. 

And as everyone I've chatted to that has far greater knowledge on the topic than myself...people I trust...have said grsec is the superior solution, I've opted for that. Couple that with some of the demonstrations I've seen from 'spender' showing selinux actually making things WORSE, for me it's a no brainer.

----------

