# SELinux vs. RSBAC vs. grsecurity

## Woldamer

Hi!

I try to choice one of them: SELinux, RSBAC, grsecurity...

And I'm confused. It is really not easy to make any decision...

I've many documentations, articles, presentations... And my brain is full, but I can't make a clear decision...

Perhaps here is anybody, how can help my with some tips...

Scenario:

* One Server

* Running:

 - SSH

 - Firewall

 - DB

 - WebServer

 - Java Application Server

 - Perhaps: virus scanner

* Accessing users:

 - Admins only, but separation is planned:

  # Updating system

  # Setting/changing roles

  # Configure web & db server

  # View (server) log files

I don't want any root = god, so I want to seperate by admin duty and personal.

That is possible by all of the three: SELinux, RSBAC, grsecurity

SELinux

Pros:

* Supported by some commercial companies

Cons:

* Very difficult to setup

RSBAC Pros:

* Modular model using

* Separetes virus scanner

* Can limit ressources of users and processes

grsecurity Pros:

* Randomized PIDs

The chosen solution should be not to difficult to setup, because I'm a newbe on this stuff (setting policies...) And I need this for my thesis and I've only small limited time slot.

ByeLast edited by Woldamer on Tue May 30, 2006 2:01 pm; edited 2 times in total

----------

## Sachankara

PaX+grsecurity is the easiest one to setup if you're new to role based security. Grsecurity includes RBAC (Role Based Access Control) which can enforce roles/rules on different processes, but it's not mandatory to use it - that's why it's so easy to use. You start with getting PaX working with PIE+SSP, then you setup all things related to grsecurity (which is very simple). At this stage Linux is already reasonably secure, but if you want to take it further, you install "gradm" and start working on your RBAC rules.  :Smile: 

Edit: Perhaps this didn't help you at all. Well well... :/

----------

## Woldamer

I have to use any kind of RBAC, because of root != god  :Wink: 

I've read that SELinux is difficult to setup up, because it's many of lines of policity configuration for each role. And a problem is, that SELinux labels the whole filesystem, what is difficult to backup.

----------

## Woldamer

I've updates my "RSBAC" Pros...

Has anybody experiances with two systems to compare them?

----------

