On mer., 2011-12-28 at 05:45 +0100, Carlos Alberto Lopez Perez wrote:
> What is the status of this? It has been a looong time ago since last update.
Sorry for the delay. As the BTS doesn't automatically CC the submitter,
please keep me on CC: when replying to this bug.
For sid, I keep updating the kernels from time to time, you can see the
grsec-patches (against the sid svn branch) at
http://anonscm.debian.org/gitweb/ and binary packages can be found at
don't upload every built kernel there since it's a bit huge.
For squeeze, I'm a bit lagging but I should update both the relevant
branch in grsec-patches and the repository.
I don't give a status update each time I update the repositories in
order not to flood people, and I still hope some positive answer from
the kernel team (until it's obvious it's too late for Wheezy).
> I am also interested in having a Debian kernel with the grsec+pax
> featureset and I am sure that many sysadmins would appreciate this
> possibility. There is a huge user base of grsec from hosting companies.
Thanks for the support.
> I agree that this RBAC thing may be not interesting for everybody giving
> the fact that it duplicates some functionality (we already have SELinux
> and TOMOYO).
> So if you really feel so strong about removing this feature from the
> debian-grsec-kernel it can be easily done just by setting
> CONFIG_GRKERNSEC_NO_RBAC=y in the .config (there is no need to ask
> upstream to split the patch).
This was mostly about upstreaming things, in fact. But disabling an
option doesn't make the patch smaller.
> Anyway I think RBAC is a nice feature and it don't hurts: Its far easier
> to use than SElinux  and we already have in Debian the user-space
> tools to work with it:
> CC'ing Laszlo Boszormenyi
> (maintainer of linux-patch-grsecurity2, paxctl and gradm2)
Note that linux-patch-grsecurity2 should really be removed now.
> I would like to see this moving forward, so I volunteer myself to help
> with the maintenance of this featureset.
Thanks for that