grsecurity forums

[nwmcsween]

Hi would it be possible to use selinux and pax together I know selinux uses some form of exec-shield but is there any way to make selinux use pax instead or just enabling the options selinux doesn't cover?

[cormander]

As far as I understand, the exec-sheild kernel patch is separate from SELinux; vendors such as redhat just happen to use both of them in their kernels.

Since SELinux is in the vanilla kernel and execshield is not, just patch a vanilla kernel with the pax-linux patch and enable the various SELinux / PaX options. They should work just fine.

[PaX Team]

Hi would it be possible to use selinux and pax together I know selinux uses some form of exec-shield but is there any way to make selinux use pax instead or just enabling the options selinux doesn't cover?

of course you can use them together, there's no conflict between the two (well, except some newer features that for some reason were stuffed into LSM, the MPROTECT/UDEREF like ones). what you will miss is the integration as in grsec or RSBAC where the access control system can be used to control the PaX flags. there used to be such a patch for SELinux as well (by Joshua Brindle, google should find the traces) but i think it got bitrot and noone maintains it anymore.