On Sat, 31 Dec 2011, Laurentiu Pancescu <lpance...@googlemail.com> wrote: > effective). I tested Exec-shield in Debian a few years ago, with and > without SELinux, it makes a big difference:
I just did a quick test on an i386 system with PAE running a 686 Squeeze kernel. SE Linux enforcing vs permissive made no difference to paxtest results with a default configuration. But when I was in enforcing mode and defined an account with user_t as the default domain (instead of unconfined_t) the test "Writable text segments" was no longer reported as vulnerable. > I think now only grsecurity is available in Debian, providing similar > functionality (it does much more than exec-shield, but it's also more > intrusive - not sure if it's even possible to use SELinux at the same > time). I don't mean this in a bad way, grsecurity seems to boost kernel > security quite a bit: The Gentoo guys integrated PAX and SE Linux. When you think of non-exec stack and GRSecurity you are thinking of PAX. > http://labs.mwrinfosecurity.com/notices/assessing_the_tux_strength_part_2_i > nto_the_kernel/ Interesting article, it doesn't make Debian look good. :( -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201112312300.20562.russ...@coker.com.au
