grsecurity forums

[nwmcsween]

I know grsecurity covers more than what smack does but I like to keep things as simple as possible. How would grsecurity compare to smack? Would using pax and smack be somewhat equivalent to grsecurity and pax? (in a access control sense)

[cormander]

I haven't ever used it, but looks like smack uses LSM. If you haven't already, read the comments here: http://www.grsecurity.net/lsm.php

In particular this item applies to your question: "LSM involves only Access Control. grsecurity performs many other functions than just Access Control."

As far as LSM(smack) + PaX, you're getting closer to grsecurity's functionality, but grsecurity independent of PaX and RBAC does a lot of hardening that LSM can't do, because they require kernel patching.

In a access control sense, smack can probably do everything grsecurity can. I'm not sure about logging, grsecurity has extensive auditing capablity (but if you're going to use LSM anyway, you can just use auditd). Another thing, grsecurity doesn't use filesystem labels. There are pros and cons to this; though I happen to dislike filesystem labels. So in my personal opinion, grsecurity is at least one-up on smack in MAC.