Comments for Openwall Linux kernel patch

05 Jun 2005 18:20 solardiz

Re: How does it compares with security linux

These two are not even similar, so it is hard to compare them. Rather, I'll describe them briefly:

The Openwall Linux kernel patch - a collection of security "hardening" features aimed at reducing the likelihood and/or impact of successful exploitation of certain classes of vulnerabilities in userspace applications, without requiring modifications to any userspace applications or libraries; also included are security fixes/enhancements to issues with the kernel itself (whenever the mainstream kernel is being too conservative or too slow at fixing security issues).

NSA SELinux - adds support for mandatory access control policies into the Linux kernel, and provides patches to certain userspace utilities to make use of said Linux kernel additions, with more userspace patches available from third parties (the kernel patch is useless without userspace applications and libraries patches); no security fixes/enhancements to issues with the kernel itself are being included (as far as I'm aware).

The two kernel patches can co-exist, and it may make sense to use both approaches on some systems, although there may be some issues with patch merging (might have to apply some hunks manually). I have not tried that.

You could also want to consider RSBAC as a well-established generic alternative to SELinux. (Or rather, SELinux is an alternative to RSBAC, since RSBAC is an older project.) It can co-exist with the Openwall Linux kernel patch, too, and I know that some people and even Linux distributions (ALT Linux Castle, other minor ones) have been using these patches together.

04 Jun 2005 20:06 contusion

How does it compares with security linux
How does it compares with NSA Security Linux patch. Anyone has a idea.


Project Spotlight


An open, cross-platform journaling program.


Project Spotlight


A scientific plotting package.