Page 1 of 1

RBAC policy: template support?

PostPosted: Mon Jan 21, 2008 3:16 pm
by law
Just out of curiousity, is there any provision for some rudimentary kind of templating in creating RBAC roles? Ferinstance, I think it would be super-helpful if we could just define a variable of "valid usernames", and then create one role-template for them that is smart enough to understand stuff like "home directories" being /some/path/$valid_username/blargh, instead of having to be /some/path/hardcoded.username/blargh, repeated umpty-billion times (I won't even frighten you with the vast, ugly mess that is our current production policy file. Let's just say it's 1,952,621 lines, takes 20 minutes to reload, and leave it at that)

Is something like that already available in grsec, and I just haven't found it yet?


Re: RBAC policy: template support?

PostPosted: Wed Feb 13, 2008 6:11 pm
by spender
I've mentioned it many times on the forums already, but I very much doubt you need a policy of that size, if it's mostly due to the large number of users on the system. Using a combination of DAC with regular globbed RBAC rules should suit the needs of 99% of people. The only thing you can't get from this combination is making every other user's home directory hidden but the current user -- through DAC you can ensure that their directories can't be entered, however. The additional hiding restriction is mostly obfuscation anyways.