How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Spender repeatedly spouts the false dichotomy that its either GRSecurity or SELinux. Lets clear something up right now. SELinux is an access control model. GRSecurity is a set of security enhancements to a bunch of places in the kernel including kernel memory protections using PaX. GRSecurity also includes their own access control model in the form of RBAC (Rule Based Access Control) where they have their own learning mode. The parts that you should compare SELinux and GRSecurity to are SELinux and GRSecurity RBAC. We in the SELinux community do not claim to do any sort of kernel level exploit mitigation and we never have. The best we could ever do is make policies that restrict avenues of attack for kernel exploits but we do not do anything to mitigate damage at a kernel level. As spender has pointed out the default policies for Fedora are very permissive because they have traded off some usability for strict security. We have people who use much stricter policies which restrict far more but those are in applications where the need for security far exceeds the need for usability. Those deployments are where the machine in question is acting mostly as an appliance which will never be interacted with directly.

All that being said Spender and PaXTeam do tons of great work. I would love to see a lot of their code merged into mainline but the likelyhood of that happening isn't very good. If you use a Hardened Gentoo kernel you'll actually get a kernel with PaX protections with some GRSecurity features and SELinux enabled which I think is an awesome thing. As Spender showcased above he does not play politics or suffer fools. What he doesn't seem to care about is that most of the kernel inclusion process is politics. We've seen it before with competing implementations of features where the person in the "in crowd" got their implementation chosen over someone who had been working on the problem for a very long time with a large user base. That coupled with a hostile attitude from upstream about security (Linus has repeatedly called security people crazy, Spender and SELinux people included) makes it hard to dedicate time to working on getting things upstreamed.