*DISCUSSED* Does OpenVZ have support for GrSecurity? [message #14969] |
Sun, 15 July 2007 19:26 |
joelee
Messages: 63 Registered: April 2006
|
Member |
|
|
Hi All,
I've search the forum and noticed some past discussion for GrSecurity support in OVZ. I wanted to know if OVZ have support for it and if not is there plans to support this in near future.
If this feature is already being supported, I would appreciate any comments on its use with OVZ.
Joe
[Updated on: Thu, 19 July 2007 08:21] by Moderator Report message to a moderator
|
|
|
|
|
Re: Does OpenVZ have support for GrSecurity? [message #15081 is a reply to message #15053] |
Wed, 18 July 2007 07:42 |
dev
Messages: 1693 Registered: September 2005 Location: Moscow
|
Senior Member |
|
|
grsecurity does conflict much with openvz changes, so it requires some efforts to resolve/fix them. Also grsecurity patch looks to be poorly documented and thus it's hard to dig into it. If there is a volunteer we can give him a patch we already have for doing this job. Surely, it is not impossible, it is just what we have no resources for :/
Next, there are some concerns about security. RHEL5 kernel provides
execshield and randomization of address spaces. So the major feature is available out of the box. Many other features of grsecurity look like a fake security (just giving you a feeling of safeness), e.g. users which can't see other user processes in the /proc. It doesn't help security and a little bit experienced user can still easily find all the other PIDs in the system.
And the main question is why someone wants grsecurity? To protect users from each other? Then use dedicated VE for each of them (which is a much hardened chroot protection even compared to grsec) and be happy. If I miss something and you need some particular feature of grsec, then plz give me to know. We'll do our best to bring it.
[Updated on: Wed, 18 July 2007 08:39] Report message to a moderator
|
|
|
|
|
Re: Does OpenVZ have support for GrSecurity? [message #15097 is a reply to message #15092] |
Wed, 18 July 2007 22:28 |
joelee
Messages: 63 Registered: April 2006
|
Member |
|
|
Dev, your point is well made and I am much in agreement. But, the example you gave about the 2 users being more protected if they are on different VE as appose to being on one with SELinux or GrSecurity is correct.
However, as you know, in a real world environment a VE will be supporting many many users. And, a one will still want to find ways to further secure/protect users or apps from each other - That's where SElinux and GrSecurity tools come into play and serve there purpose.
Therefore if OpenVZ has some technical issues to support those tools then it would make sense for OVZ to put some effort to getting those fix - Hope you agree!
I initially made this post because I wanted to be able to chroot users in SSH, FTP, etc... And, that the Grsecurity like tool is recommended to be patch to kernel to enhance the chrooting capabiltiy. And, I've come to learn that OVZ had problems with GrSecurity.
I hope some attention can be placed on this by OVZ team to fix what can be fix in order to support GrSecurity and/or SElinux.
Hope you get my point! Anyway, thanks for your comments...
Joe
|
|
|
|
|
|