RBAC startup and shutdown included in policy?

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Do you disable RBAC automatically during shutdown and automatically during startup? (choose 2)

Poll ended at Tue Mar 09, 2010 11:48 am

start up system and enable manually /sbin/gradm -E
1
50%
start up system enabling in local.start
0
No votes
start up system with separate init script
0
No votes
shutdown system with RBAC active
1
50%
shutdown system after manually stopping RBAC /sbin/gradm -D
0
No votes
shutdown system disabling RBAC in local.stop
0
No votes
shutdown system disabling RBAC in own initscript
0
No votes
 
Total votes : 2

RBAC startup and shutdown included in policy?

Postby schmeggahead » Sun Feb 07, 2010 11:48 am

I was interested how people are generally enabling at start up and enabling at shutdown and how much of that process is included in their RBAC policy statements.

What benefits are manual start up and shutdown to the security of the system?

Acquiring a startup policy is pretty straight forward by including /sbin/gradm -F -L /full.system.RBAC.log

How do you successfully acquire a learned shutdown policy?
Shutting down with RBAC learning enabled has not been successful for me.

Does including /sbin/gradm -L /full.system.RBAC.log -O /full.system.RBAC.roles work in the shutdown to get the full roles? (trying this now)

Just wondering if the additional access given to start up and shutdown reduce security.
schmeggahead
 
Posts: 5
Joined: Thu Jan 21, 2010 1:09 pm

Re: RBAC startup and shutdown included in policy?

Postby spender » Sat Mar 26, 2011 6:12 pm

Hi, good news! I've just finished writing up a feature that should prevent shutdown/reboot from being a hassle in RBAC.

The problem with using special roles for system shutdown was that the init task initiated the rc scripts, and the admin's shell would be terminated at some point during the shutdown causing special roles to be removed.
So here's how the new feature works:
A new mode was created for special roles: "R" -- this marks the special role as a persistent special role. This means that when the process that entered the special role exits, it doesn't trigger the resetting of roles using that special role. Since using this for the admin role is a security issue, I prevent you from making that mistake. The second part is that when a process in the role opens a file for writing which has a new flag "f" marked on it, then the privilege of the current role will be passed to the init process. This provides it with the privilege it needs to perform shutdown, without having to grant it for the entire lifetime of the system.

This is all already set up in the default policy. All you need to do is set up a password for the shutdown role. To reboot, it's just:
gradm -a shutdown
/sbin/reboot

The diff is at http://grsecurity.net/~spender/shutdown_feature.diff and is in the 2.6.38.1 2.2.2 patch I just uploaded. I'll be backporting it to 2.6.32 this weekend.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: RBAC startup and shutdown included in policy?

Postby Serje » Fri May 20, 2011 7:35 am

Thank you, Spender!
It's a very useful feature, I'll take it :)
Serje Frindle.
---------------
google android development
Serje
 
Posts: 1
Joined: Fri May 20, 2011 7:31 am
Location: London

Re: RBAC startup and shutdown included in policy?

Postby Undine » Fri Sep 09, 2011 2:31 pm

spender wrote:This is all already set up in the default policy. All you need to do is set up a password for the shutdown role. To reboot, it's just:
gradm -a shutdown
/sbin/reboot
-Brad

Do I also need /sbin/init and others all-allowed binaries subjects from example policy included with gradm?

I also found that there is too hard to do an automatic system shutdown, which is something painful in certain moments :-) This is not necessary for my desktop for example (I often use hibernation feature), but sometimes it is important for servers. Perhaps I need to setup exceptions for init, scripts and other shutdown utils if I will want to implement that.
Undine
 
Posts: 46
Joined: Thu Sep 08, 2011 7:08 am


Return to RBAC policy development

cron