grsecurity users?

Arkadiusz Miśkiewicz arekm at maven.pl
Mon Nov 21 11:33:01 CET 2011


On Monday 21 of November 2011, Marek Guevara Braun wrote:
> W dniu 17 listopada 2011 19:34 użytkownik Arkadiusz Miśkiewicz
> 
> <arekm at maven.pl> napisał:
> > I wonder if we have grsecurity users that use pld kernels?
> 
> I use this feature.

Ok but what part? RBAC?

> 
> > Asking because there was an idea of dropping grsec from default kernel
> > which can happen iif we have no users of this feature.
> 
> SELinux a'la RHEL then or nothing at all ?

Well, right now some parts of grsec are used among people here, so these won't 
be dropped.

The real problem is in 3.1.x kernels where there is some functional conflict 
between grsecurity and vserver. That causes such oops:

http://pastebin.com/ciS5ud30

Our 3.1.1+vserver works fine, 3.1.1+grsec works fine, 3.1.1+vserver+grsec 
fails as shown above. There were some changes in dup_mm/copy_process area in 
vserver between 3.0 and 3.1 but the real reason for oops is unknown at this 
moment.

That's the only thing that prevents us from having 3.1 kernel in PLD.

> Regards,
> Marek
> 
> PS. Do we still need tuxonice and vservers? 

tuxonice was dropped. vserver is used by many people here.

> Have someone got any
> experience with vserver -> linux containers/lxc porting of virtual
> systems,

There is work needed to make lxc usable on pld. For example we don't have 
template script for pld at this moment.

http://www.pld-linux.org/Docs/LXC also needs  updates.

> Is lxc production ready on our kernels?

Well, LXC is in mainline, so our kernels equal linus kernels in this area. 
Should work.

> I've got issues with
> vservers on 3.0 kernels,

What issues?

> so I'm considering moving them to lxc.

I also have long term plan to migrate all my guests to lxc (to be able to use 
kernel that's not patched with invasive vserver patch).

> PS2. The question should have gone to the pld-uses-pl/en lists.

Look at first mail in this thread again.

-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/


More information about the pld-devel-en mailing list