In addition to Grsecurity + PAX you can use SELinux. It's main purpose
is to separate daemons and minimize privilege escalation in case of
buggy daemon. Each daemon has defined role - set of operations it can do
(for example files access, network, capabilities etc.). When someone
breaks into such daemon he can do only operations allowed in this
daemon's role.

There is "Reference policy" - standard policy to be used on SELinux
systems. I have one server with it and there are no problems. Most
commonly used daemons have good policies. Desktop applications have
worse policies, but it shouldn't bother you.

Regards,
Marek Wróbel
-- 
[email protected] mailing list

Reply via email to