Results 1 to 7 of 7

Thread: What is grsecurity2/AppArmour/SElinux?

  1. #1
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    What is grsecurity2/AppArmour/SElinux?

    I think I have security down-pat, but I'm not sure about grsecurity2/AppArmor/SElinux. I mean, I know what they all do, but I have two main questions:

    1. If I install grsecurity2, do I need to enable AppArmor/SElinux?

    2. Do I need to run both AppArmor and SElinux or just one?

    Also, what about buffer overrun protection? I hear Ubuntu has its own software enabled by default, but I'v also heard that I need more protection than that. Any answers?

    Thanks,

    SH

  2. #2
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

  3. #3
    Join Date
    Mar 2007
    Location
    A bit further from nearby
    Beans
    Hidden!
    Distro
    Ubuntu 11.10 Oneiric Ocelot

    Re: What is grsecurity2/AppArmour/SElinux?

    Quote Originally Posted by ShinHadoken View Post
    I think I have security down-pat, but I'm not sure about grsecurity2/AppArmor/SElinux. I mean, I know what they all do, but I have two main questions:

    1. If I install grsecurity2, do I need to enable AppArmor/SElinux?

    2. Do I need to run both AppArmor and SElinux or just one?

    Also, what about buffer overrun protection? I hear Ubuntu has its own software enabled by default, but I'v also heard that I need more protection than that. Any answers?

    Thanks,

    SH
    This article seems able to answer some of your questions, especially regarding SE Linux.

    Linux® has been described as one of the most secure operating systems available, but the National Security Agency (NSA) has taken Linux to the next level with the introduction of Security-Enhanced Linux (SELinux). SELinux takes the existing GNU/Linux operating system and extends it with kernel and user-space modifications to make it bullet-proof. If you're running a 2.6 kernel today, you might be surprised to know that you're using SELinux right now! This article explores the ideas behind SELinux and how it's implemented.
    Re: AppArmor, somebody please correct me if I'm wrong, but it's already installed and running on your installation (iirc it was first implemented in Ubuntu 7.10 along with its Linux 2.6.22 (?) kernel).

  4. #4
    Join Date
    Sep 2006
    Beans
    56

    Re: What is grsecurity2/AppArmour/SElinux?

    1. I'm not sure if you can use both. There's a another thread from a forum staff member trying to use both Grsecurity and apparmor. It seems difficult.
    http://ubuntuforums.org/showthread.php?t=809296

    2. Apparmor is installed by default for Ubuntu (I think its 7.10 and later).
    You should use one. Apparmor is supposedly easier to use than SElinux.
    Ubuntu 12.04. 64bit. Desktop version. Gnome 3.4.1 O͜͡.O~

  5. #5
    Arthur Archnix is offline Grande Half-n-Half Cinnamon Ubuntu
    Join Date
    Aug 2007
    Beans
    Hidden!

    Re: What is grsecurity2/AppArmour/SElinux?

    I remove apparmor from my Ubuntu install. I've got separate partitions with appropriate permissions, I'm the only user of the laptop, and I've got no open services. No services period. For me, even policy kit is overkill. But that's too tightly integrated to unwind and its not like it has a performance cost.

    Course, if you've got a server or even a desktop that you ssh into then I'd defintiely be running at least one. Probably app armor, though I'm not sure how many profiles are enabled by default. More than in Gutsy surely, but one is greater than none so i'm not sure how much that's saying.

    Not expert advice. Just my own two cents. Probably worth one.

  6. #6
    Join Date
    Jun 2006
    Location
    Solihull, UK
    Beans
    1,413

    Re: What is grsecurity2/AppArmour/SElinux?

    By default, Apparmor only protects cupsd, but it is easy to configure in order to protect other processes.

    I sandbox all network daemons with Apparmor, and I also sandbox Firefox, Deluge and Pidgin to make sure that they can only ever write to the desktop or a dedicated download folder

  7. #7
    Join Date
    Feb 2008
    Location
    Oklahoma, US
    Beans
    306
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    Re: What is grsecurity2/AppArmour/SElinux?

    So, here's what I'm getting:

    I should configure Apparmor, and forget about SElinux.

    Ok, but what about grsecurity?

    1. Should I install it? If so, how?
    2. If I do install it, should I still run AppArmor?
    3. How do I configure grsecurity?
    4. If I shouldn't install grsecurity, what do I do about memory overrun prevention (such as PaX)?

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •