grsecurity forums

Hi all,

is there a way to write a policy to permit ALL (i mean read, write and exec like without grsec enabled) and restrict only few object?

thank you
regards.

This isn't a supported use of grsecurity's RBAC system, as nearly any usage that attempts to prevent access to only a small number of files without the base policy enforced by RBAC is just an exercise in feel-good security with no true benefit. If you want to do this, you'll need to comment out code in gradm_analyze.c, but you're on your own from there.

-Brad

spender wrote:This isn't a supported use of grsecurity's RBAC system, as nearly any usage that attempts to prevent access to only a small number of files without the base policy enforced by RBAC is just an exercise in feel-good security with no true benefit. If you want to do this, you'll need to comment out code in gradm_analyze.c, but you're on your own from there.

thank you Brad,

figured it was useless, I will try to configure each object. I've tried the autolearn function, but makes me feel like losing "control" over the policy configuration... isn't it?

-Ujaku

You don't lose control. You can tweak the resulting policy however you wish. You can even configure the learning with /etc/grsec/learn_config so that it generates policies around your specific interests (e.g. listing some sensitive files that you don't want unprivileged processes to be able to access). The generated policies will still be easy to read (split_roles will make it even easier) and should make intuitive sense.

-Brad

spender wrote:This isn't a supported use of grsecurity's RBAC system, as nearly any usage that attempts to prevent access to only a small number of files without the base policy enforced by RBAC is just an exercise in feel-good security with no true benefit. If you want to do this, you'll need to comment out code in gradm_analyze.c, but you're on your own from there.

-Brad

I've been trying to do this as well on Hardened Gentoo. Although I know that it's always better to use default-deny for MACs, my computer is a general purpose desktop with games, work applications, and full KDE installed. I fear that even with learning mode, there is no possible way I could confine every single of my programs, but log into the root role and then the admin roll when I have to run something as simple as 'sudo rvim /etc/someconfig.conf'. For example, I have ~10,000 files in my games directory (not all separate games of course), and to have the policy deal with anywhere near that many files for games alone is overwhelming. I have ~900 packages installed according to portage (mostly dependencies luckily), and to think that I'd need around that much is a scary concept.

What I thought I'd do is allow everything and, at first, only confine the most at-risk applications, like web browsers, wine, portage, and the various applications which may have to access and use untrusted files from the internet (e.g. pdf viewers, image viewers, media player, etc.), and important system programs like cron. As time goes on and I get more time to tinker with things, I could gradually create more policies, starting with the highest priority and eventually going down to confining things which otherwise I would never expect could be at risk of compromise. If I were able to create a very relaxed policy for / which allowed me to confine specific applications, I'd benefit more from RBAC than if it were too difficult to use on an ever-changing desktop and I were forced to go back to AppArmor. I would, of course, try to set the goal of confining everything I can, but at this point it's simply too much for my usage because I can't predict what files a program will need to access, and I can't simulate every possibility for system learning.

Is there a solution to this that I'm missing that allows me to get at least some security benefit?

SELinux supports targeted policy, which should be better than disabled RBAC on desktop.