Gentoo Wiki


This article is part of the Security series.

This page is an attempt to show a comparison table of the main different access control solutions for Linux.

This table should not show opinions but facts or give the links for benchmarking.

Please keep objectivity and not "we are the best" Please also keep to simple facts. This is a comparison, not a review. We don't care how more comprehensive one thing is over another. Just add a row with how many syscalls are covered then. If you want to write a review, go write one and link it.

  RSBAC grsecurity SELinux AppArmor Smack
Full name RuleSet Based Access Control GetRewted Security Security Enhanced Linux AppArmor / SubDomain Simplified Mandatory Access Control Kernel
Origins German American Contributors Immunix
Developers 5 active 1 Contributors Suse, Ubuntu, Annvix
Distributions inclusion as a standard feature Hardened Gentoo, Adamantix, Mandriva, T2, Alt Linux Hardened Gentoo, Hardened Linux From Scratch Hardened Gentoo, Fedora Core, Red Hat Enterprise Linux, Debian openSUSE, SLES, Pardus, Annvix, Ubuntu/Gutsy
Distributions presence as patch or 3rd party support Debian, Ubuntu, Fedora RPM available Debian (source patch for kernel) Debian, SuSE, Ubuntu

Ubuntu/Feisty, Slackware, Gentoo

Company Support MPrivacy Various NSA, RedHat, HP, IBM Suse
Current Stable 2.6.x & 2.4.x & Mainline kernel 2.6, 2.4 support dropped 2.6.x Mainline kernel as of 2.6.25
Development Process Open, SVN View, Anonymous SVN, Git, Bugtracker, Live todo list, Live commits, IRC, Mailing-list Open, anonymous CVS, IRC, mailing list, web forum Open, in kernel, Git, sourceforge, mailing list. Open, openSUSE wiki
Optimizations Hashed list lookups O(1), ordered generic lists, attributes inheritance Hashed lookups O(1) Access Vector Cache O(1) Access granted once, rechecked when rights change
PaX Integration Yes Yes No No
Exec-Shield Integration No No Yes No
Hook Type RSBAC + REG GrSecurity LSM LSM
Framework Logic GFAC N/A Flask
Label Storage rsbac.dat, filesystem independent N/A xattrs/metadata, filesystem dependent internal-only; filesystem independent
Inode Labeling yes - but moving might change access because of inheritance (check effective attributes when inherited) no - rename changes access yes no - rename changes access yes
Supported Models (list) MAC, RC, ACL, FF, UM, PM, DAZ, JAIL RBAC, ACL TE, RBAC, MLS, MCS
Additional Features Secure delete, Process hiding, Filesystem hiding for files you have no access for, Symlink redirection, in kernel user management, on-access virus scanning Random IPID, Process hiding, Chroot restrictions, TPE, Symlink restrictions User-space access vector cache Sub-process confinement: can confine individual PHP pages, mod_perl scripts, and Tomcat servlets
Policy Learning mode Yes, built-in, only non-critical modules. Yes, built-in, extensive Yes, external, audit2allow, polgen Yes, initial policy generation and incremental policy updates
Portability Complete. (never ported) N/A Complete. Ported to other kernels already. Available for x86, x86-64, IA64, POWER, zSeries, and ARM
Patents unknown unknown unknown, Type Enforcement (Expired) SCC Statement of assurance unknown
Evaluations ULD EAL4+ (CyberGuard) N/A CAPP EAL4+ (Suse Linux), RHEL 5 In progress for CAPP, RBAC, and LSPP at EAL4+

Benchmarks (take them with a hand full of salt):

Retrieved from ""

Last modified: Tue, 22 Apr 2008 22:31:00 +0000 Hits: 22,397