LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-08-2010, 06:01 PM   #1
CoderMan
Member
 
Registered: Jan 2009
Location: Gemini Capsule 25164
Distribution: Gentoo
Posts: 375
Blog Entries: 24

Rep: Reputation: 43
Grsecurity/RBAC access control


Hi all. I'm trying, for the first time, to set up a system with Grsecurity RBAC. I configured the kernel, installed grsecurity, et cetera, and now it is time to get into configuring the policy. I'm reading through a guide, but to be honest I'm still a bit vague on a lot of the basic concepts.

My question today: when grsecurity is enabled, what is the relationship between the permissions defined in the policy file, and the traditional Unix permissions set for the files and directories? Do Unix permissions apply until they are "trumped" in the policy?

If I control directory access through the grsecurity policy, does it matter what the traditional Unix permissions are? For example, if I have a complex hierarchy of directories, intended to be used by multiple groups with varying levels of permissions, should I just set all directories to root only access (in the traditional permissions) and then control actual access in the policy file?

[If anyone knows of any really good grsecurity/RBAC beginner-friendly tutorials, that would also be appreciated.]
 
Old 04-09-2010, 12:37 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,394
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Quote:
Originally Posted by CoderMan View Post
when grsecurity is enabled, what is the relationship between the permissions defined in the policy file, and the traditional Unix permissions set for the files and directories? Do Unix permissions apply until they are "trumped" in the policy?
That actually is something you could test yourself. If you run a DAC+MAC system (say SE Linux) then you would find MAC works on top of DAC, meaning if the underlying DAC permissions don't grant a user access to a resource then MAC shall not (can not) allow it. With RBAC only a users role matters, this explains it quicker: http://www.redhat.com/docs/en-US/Red...ec-rbac-intro1



Quote:
Originally Posted by CoderMan View Post
If anyone knows of any really good grsecurity/RBAC beginner-friendly tutorials, that would also be appreciated.
GRSecurity isn't exactly renowned for it's extensive documentation but I'm sure that by looking at your generated profile and http://forums.grsecurity.net/viewforum.php?f=5 you can get what you want. Else try to post a detailed, specific question and maybe you get an answer here...
 
Old 06-07-2010, 05:13 PM   #3
arniekat
LQ Newbie
 
Registered: Oct 2008
Location: Round Rock, TX
Distribution: Slackware 14.2
Posts: 18
Blog Entries: 66

Rep: Reputation: 6
Here is the GRSecurity wiki for those interested:
http://en.wikibooks.org/wiki/Grsecurity

I have actually used the GRSecurity-patched kernel with Slackware 13.0 to learn about Mandatory Access Control.
It works fine. There is a learning curve. Some things to keep in mind:
1. Mandatory Access Control (MAC) is checked AFTER Discretionary Access Control (DAC), so if your file system permissions (User-Group-Other) do not allow access, that's the end of that. No access. If your file system permissions allow access, then the MAC system checks if access is allowed and proceeds accordingly. You should set the DAC permissions correctly first instead of relying on MAC to fix faulty permissions.
2. GRSecurity has a learning feature. You basically activate it by:
# gradm -F -L /etc/grsec/learning.logs
Then use your system as you normally would. When you have finished learning mode, create the policy by:
# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
You will probably have to do a little hand-editing, but it is not too bad and looking at the file itself gives you clues.
3. The enforcement mechanism is turned on after booting by:
# gradm -E
4. The enforcement mechanism is turned off when you want to shutdown by:
# gradm -D
 
Old 01-29-2012, 09:30 PM   #4
the_guv
LQ Newbie
 
Registered: Jul 2009
Location: valencia & london
Distribution: jaunty desktop & heron server
Posts: 8

Rep: Reputation: 2
http://judepereira.com/blog/playing-...brief-tutorial
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
RBAC related question.. saagar Solaris / OpenSolaris 2 07-20-2009 10:06 PM
Access control with access.conf file custangro Linux - Enterprise 4 06-02-2009 12:22 PM
Grsecurity RBAC: rule for ssh problem gani Linux - Security 1 01-12-2007 08:16 AM
rbac not OK AbrahamJose Solaris / OpenSolaris 4 11-20-2006 11:27 PM
Rbac linuxtesting2 Solaris / OpenSolaris 1 08-23-2006 05:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration