Page 1 of 1

RBAC startup and shutdown included in policy?

PostPosted: Sun Feb 07, 2010 11:48 am
by schmeggahead
I was interested how people are generally enabling at start up and enabling at shutdown and how much of that process is included in their RBAC policy statements.

What benefits are manual start up and shutdown to the security of the system?

Acquiring a startup policy is pretty straight forward by including /sbin/gradm -F -L /full.system.RBAC.log

How do you successfully acquire a learned shutdown policy?
Shutting down with RBAC learning enabled has not been successful for me.

Does including /sbin/gradm -L /full.system.RBAC.log -O /full.system.RBAC.roles work in the shutdown to get the full roles? (trying this now)

Just wondering if the additional access given to start up and shutdown reduce security.

Re: RBAC startup and shutdown included in policy?

PostPosted: Sat Mar 26, 2011 6:12 pm
by spender
Hi, good news! I've just finished writing up a feature that should prevent shutdown/reboot from being a hassle in RBAC.

The problem with using special roles for system shutdown was that the init task initiated the rc scripts, and the admin's shell would be terminated at some point during the shutdown causing special roles to be removed.
So here's how the new feature works:
A new mode was created for special roles: "R" -- this marks the special role as a persistent special role. This means that when the process that entered the special role exits, it doesn't trigger the resetting of roles using that special role. Since using this for the admin role is a security issue, I prevent you from making that mistake. The second part is that when a process in the role opens a file for writing which has a new flag "f" marked on it, then the privilege of the current role will be passed to the init process. This provides it with the privilege it needs to perform shutdown, without having to grant it for the entire lifetime of the system.

This is all already set up in the default policy. All you need to do is set up a password for the shutdown role. To reboot, it's just:
gradm -a shutdown
/sbin/reboot

The diff is at http://grsecurity.net/~spender/shutdown_feature.diff and is in the 2.6.38.1 2.2.2 patch I just uploaded. I'll be backporting it to 2.6.32 this weekend.

-Brad

Re: RBAC startup and shutdown included in policy?

PostPosted: Fri May 20, 2011 7:35 am
by Serje
Thank you, Spender!
It's a very useful feature, I'll take it :)
Serje Frindle.
---------------
google android development

Re: RBAC startup and shutdown included in policy?

PostPosted: Fri Sep 09, 2011 2:31 pm
by Undine
spender wrote:This is all already set up in the default policy. All you need to do is set up a password for the shutdown role. To reboot, it's just:
gradm -a shutdown
/sbin/reboot
-Brad

Do I also need /sbin/init and others all-allowed binaries subjects from example policy included with gradm?

I also found that there is too hard to do an automatic system shutdown, which is something painful in certain moments :-) This is not necessary for my desktop for example (I often use hibernation feature), but sometimes it is important for servers. Perhaps I need to setup exceptions for init, scripts and other shutdown utils if I will want to implement that.