Hi all. I'm trying, for the first time, to set up a system with Grsecurity RBAC. I configured the kernel, installed grsecurity, et cetera, and now it is time to get into configuring the policy. I'm reading through a guide, but to be honest I'm still a bit vague on a lot of the basic concepts.

My question today: when grsecurity is enabled, what is the relationship between the permissions defined in the policy file, and the traditional Unix permissions set for the files and directories? Do Unix permissions apply until they are "trumped" in the policy?

If I control directory access through the grsecurity policy, does it matter what the traditional Unix permissions are? For example, if I have a complex hierarchy of directories, intended to be used by multiple groups with varying levels of permissions, should I just set all directories to root only access (in the traditional permissions) and then control actual access in the policy file?

[If anyone knows of any really good grsecurity/RBAC beginner-friendly tutorials, that would also be appreciated.]

That actually is something you could test yourself. If you run a DAC+MAC system (say SE Linux) then you would find MAC works on top of DAC, meaning if the underlying DAC permissions don't grant a user access to a resource then MAC shall not (can not) allow it. With RBAC only a users role matters, this explains it quicker: http://www.redhat.com/docs/en-US/Red...ec-rbac-intro1



GRSecurity isn't exactly renowned for it's extensive documentation but I'm sure that by looking at your generated profile and http://forums.grsecurity.net/viewforum.php?f=5 you can get what you want. Else try to post a detailed, specific question and maybe you get an answer here...

Here is the GRSecurity wiki for those interested:
http://en.wikibooks.org/wiki/Grsecurity

I have actually used the GRSecurity-patched kernel with Slackware 13.0 to learn about Mandatory Access Control.
It works fine. There is a learning curve. Some things to keep in mind:
1. Mandatory Access Control (MAC) is checked AFTER Discretionary Access Control (DAC), so if your file system permissions (User-Group-Other) do not allow access, that's the end of that. No access. If your file system permissions allow access, then the MAC system checks if access is allowed and proceeds accordingly. You should set the DAC permissions correctly first instead of relying on MAC to fix faulty permissions.
2. GRSecurity has a learning feature. You basically activate it by:
# gradm -F -L /etc/grsec/learning.logs
Then use your system as you normally would. When you have finished learning mode, create the policy by:
# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
You will probably have to do a little hand-editing, but it is not too bad and looking at the file itself gives you clues.
3. The enforcement mechanism is turned on after booting by:
# gradm -E
4. The enforcement mechanism is turned off when you want to shutdown by:
# gradm -D