[Discuss] grsecurity
Richard Pieri
richard.pieri at gmail.com
Tue May 1 20:16:16 EDT 2012
On May 1, 2012, at 7:23 PM, Tom Metro wrote:
>
> Hmmm...the Wikipedia article gave the impression that the chroot jail
> was separate from RBAC or at least layered above it. It isn't clear why
> they couldn't have taken SELinux and done the same thing. Or at most, a
> patched SELinux.
Because SELinux requires a great deal of sysadmin time and effort and expertise to craft the jails and security policies. It requires a lot of time and care to craft the security labels for the files in the jails. And it requires diligent auditing of those security labels to ensure that a mistake doesn't crack all of the jails wide open.
gsecurity does all this right out of the box.
--Rich P.
More information about the Discuss
mailing list