policy permit all

Submit your RBAC policies or suggest policy improvements

policy permit all

Postby ujaku » Mon Mar 04, 2013 10:41 am

Hi all,

is there a way to write a policy to permit ALL (i mean read, write and exec like without grsec enabled) and restrict only few object?

thank you
regards.
ujaku
 
Posts: 3
Joined: Wed Jan 11, 2012 12:13 pm

Re: policy permit all

Postby spender » Mon Mar 04, 2013 7:26 pm

This isn't a supported use of grsecurity's RBAC system, as nearly any usage that attempts to prevent access to only a small number of files without the base policy enforced by RBAC is just an exercise in feel-good security with no true benefit. If you want to do this, you'll need to comment out code in gradm_analyze.c, but you're on your own from there.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: policy permit all

Postby ujaku » Tue Mar 05, 2013 6:32 am

spender wrote:This isn't a supported use of grsecurity's RBAC system, as nearly any usage that attempts to prevent access to only a small number of files without the base policy enforced by RBAC is just an exercise in feel-good security with no true benefit. If you want to do this, you'll need to comment out code in gradm_analyze.c, but you're on your own from there.


thank you Brad,

figured it was useless, I will try to configure each object. I've tried the autolearn function, but makes me feel like losing "control" over the policy configuration... isn't it?

-Ujaku
ujaku
 
Posts: 3
Joined: Wed Jan 11, 2012 12:13 pm

Re: policy permit all

Postby spender » Tue Mar 05, 2013 8:31 am

You don't lose control. You can tweak the resulting policy however you wish. You can even configure the learning with /etc/grsec/learn_config so that it generates policies around your specific interests (e.g. listing some sensitive files that you don't want unprivileged processes to be able to access). The generated policies will still be easy to read (split_roles will make it even easier) and should make intuitive sense.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: policy permit all

Postby Reene » Sat May 17, 2014 4:03 am

spender wrote:This isn't a supported use of grsecurity's RBAC system, as nearly any usage that attempts to prevent access to only a small number of files without the base policy enforced by RBAC is just an exercise in feel-good security with no true benefit. If you want to do this, you'll need to comment out code in gradm_analyze.c, but you're on your own from there.

-Brad

I've been trying to do this as well on Hardened Gentoo. Although I know that it's always better to use default-deny for MACs, my computer is a general purpose desktop with games, work applications, and full KDE installed. I fear that even with learning mode, there is no possible way I could confine every single of my programs, but log into the root role and then the admin roll when I have to run something as simple as 'sudo rvim /etc/someconfig.conf'. For example, I have ~10,000 files in my games directory (not all separate games of course), and to have the policy deal with anywhere near that many files for games alone is overwhelming. I have ~900 packages installed according to portage (mostly dependencies luckily), and to think that I'd need around that much is a scary concept.

What I thought I'd do is allow everything and, at first, only confine the most at-risk applications, like web browsers, wine, portage, and the various applications which may have to access and use untrusted files from the internet (e.g. pdf viewers, image viewers, media player, etc.), and important system programs like cron. As time goes on and I get more time to tinker with things, I could gradually create more policies, starting with the highest priority and eventually going down to confining things which otherwise I would never expect could be at risk of compromise. If I were able to create a very relaxed policy for / which allowed me to confine specific applications, I'd benefit more from RBAC than if it were too difficult to use on an ever-changing desktop and I were forced to go back to AppArmor. I would, of course, try to set the goal of confining everything I can, but at this point it's simply too much for my usage because I can't predict what files a program will need to access, and I can't simulate every possibility for system learning.

Is there a solution to this that I'm missing that allows me to get at least some security benefit?
Reene
 
Posts: 1
Joined: Sat May 17, 2014 3:30 am

Re: policy permit all

Postby KDE » Tue May 20, 2014 8:38 am

SELinux supports targeted policy, which should be better than disabled RBAC on desktop.
KDE
 
Posts: 57
Joined: Sat Feb 09, 2008 5:29 am


Return to RBAC policy development