Is this possible?

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Is this possible?

Postby roxer » Mon Feb 27, 2006 5:21 pm

I have read the documentation and am somewhat confused on how the acl role/subject/object heirarchy is used. I have installed the latest grsecurity patch, 2.1.8, with kernel 2.4.32 on a OpenNA linux system. I enabled the defaults per your quick start guide and started the full system learning mode to gather info for the RBAC policy file. My questions is:

I have several services that run on the server such as POP3, ftp, and websites that users access (standard LAMP server). When I ran the policy learning mode, it created sections for each user. Is there a way to make the acl apply to all users created instead of having to create roles for every user?

I attempted to do it by replacing one of the single user roles (role testguy u) that was created by the learning policy with a group (role ftpusers g) then deleting the other users roles. I did create a group called ftpusers and added the users to it. But when running the ftp client to access the server, I noticed that vsftpd tried to change to the UID of the users directory but was not allowed to. I looked at the blackadder policy listed on the forum to try and get some direction, but it obviously did not work. Is what I am trying to do even possible? Where do I need to go from here?
roxer
 
Posts: 1
Joined: Mon Feb 27, 2006 4:31 pm
Location: Yonder on some mountain

Return to RBAC policy development