RBAC policy help

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

RBAC policy help

Postby ominor » Fri Jun 01, 2007 9:52 pm

hi everybody ,
I;m new to grsecurity. In my system the each user has its own group e.g user1:user1 ... how it is possible to make an rbac policy to restrict their access out of their home dirs ?
ominor
 
Posts: 1
Joined: Fri Jun 01, 2007 9:49 pm

Postby brant » Sat Aug 25, 2007 12:42 pm

What do you mean? You want to restrict users so they only have access to his or her home directory?

Will they still have access to system-wide binaries, man pages, and libraries?

Here's a skeleton role as an example (of course, your paths may vary):

Code: Select all
role username u

subject / {

/ h

/etc h
/etc/grsec h
/etc/localtime r

/usr h
/sbin h
/usr/sbin h
/usr/local/sbin h

/proc
/proc/kcore h
/proc/bus h

/dev
/dev/mem h
/dev/port h
/dev/kmem h
/dev/grsec h
/dev/vc
/dev/vc/*
/dev/urandom

/tmp
/tmp rwcd

/bin x
/usr/bin x
/usr/local/bin x

/lib x
/usr/lib x

/usr/local/share/man
/usr/local/share/man/whatis r

/var

/home h
/home/username rwxcd

-CAP_ALL
bind disabled
connect disabled

}


I'm not entirely if this is the droid you're looking for, but this role allows execution of shared binaries and libraries without allowing read access to /bin, /usr/bin, etc. Users can also execute code within his or her home dir. From here, you can enable RBAC and watch the system logs for denials. If something gets denied that shouldn't be, look at how to add it to the policy/role.
brant
 
Posts: 9
Joined: Fri Feb 03, 2006 2:35 am
Location: earth, sol


Return to RBAC policy development

cron