grsecurity forums

sorry to bring this up spender

but how can one better from grsecurity, then from using selinux?
i don't really see what it so better with selinux and why most people would pick that over grsec, or vis versa

can nobody answer this?

it's mostly a personal favour thing i guess. Of course both will have pro's and cons, but for each person the weights are different. Just pick the one that suits you personal needs best.

selinux is a bit (over)complicated - both in model and in usage (it doesn't mean that those are not needed - it only means that some of them are not needed by majority).

grsec offers same features as selinux (well, at least most of them), but implemented (and managed) in different way.

To use selinux you need a lot of experience and understanding, while grsec can be used by novices in (more or less) intuitive way (there are some problems too, but not as much as in case of selinux).

I just had a look at selinux - and I see that it will take few days to learn how to use it efficiently (and correctly), and few more days to tune it up (for specific systems).

There is one definitely good point for selinux - it is in mainstream kernel (2.6), and is officially supported. Those guys from NSA have a lot of experience (and very good team) OTOH, some people scared to use NSA's Linux... So...

My advice - try to read all relevant docs, and see what fits your needs better - both from features and management (usage).

The big difference is that grsecurity is principally designed to secure ordinary Linux systems against remote or local penetration; i.e. to help ordinary system administrators protect against the attacks encountered every second on the Internet and generally on any computer with untrusted users.

SELinux is designed to make an operating system compliant with Common Criteria security standards, suitable for low-level military use. It attempts to protect against attacks in the way GRSec does (though with different mechanisms) but also is designed to protect privacy, confidentiality, and all other kinds of information leakage. It's also designed to deal with classified (this doesn't have to be Top Secret; trade secrets, perhaps) data, and the vital restriction that processes with access to classified data only be allowed to write to nonclassified data under controlled conditions, to prevent a trojan/virus from leaking data which should be restricted.

In my opinion, the requirements of SELinux make it vastly overcomplicated if your goals are simply to protect yourself from 'regular' compromise. SELinux *should* achieve the goal of 'crack protection', but it's almost as a side effect of its design. GRSec is a more specific defence designed to tackle real-world attacks, rather than implement any particular theoretical security model. Please don't take this to be any form of attack on SELinux; their goals are noble and their implementation is, from what I have seen, excellent. Nonetheless, I chose GRSec because I felt that it would be better suited to the needs of an average system administrator, and the vastly reduced complexity of its configuration allows me to be far more confident that the end result is secure. I simply don't trust my own abilities enough to go with the more flexible tool. =)

very well put, thanx you guys for you input that was what i was looking for. i like grsec myself