Page 1 of 1

Subject Inheritance Question

PostPosted: Thu Dec 11, 2014 1:47 pm
by tjh
Curious if this is a bug, or expected behaviour:

Code: Select all
# Role: root
subject /  {
        /
        /bin                            xri
*snip*


Having the "i" above there, overrides the next explicitly defined subject:

Code: Select all
# Role: root
subject /bin/bash o {
        /                               h
        /bin                            h


It took me a while to figure out why I'd suddenly broken my policy and why things were being logged as the default subject for root, not the /bin/bash subject:

Code: Select all
grsec: From 202.170.165.25: (root:U:/) denied access to hidden file /lib/i386-linux-gnu/i686/cmov by /bin/bash[bash:2010] uid/euid:0/0 gid/egid:0/0, parent /bin/su[su:2009] uid/euid:1000/0 gid/egid:0/0


So my question is - is this expected behaviour, a less specific subject with an inheritence rule will trump a specific subject rule?

(As soon as I removed the "i" from /bin on my default root subject I fixed my issue)

Re: Subject Inheritance Question

PostPosted: Thu Dec 11, 2014 6:16 pm
by spender
Hi,

That's expected behavior -- there's no automatic object added to all subjects whenever you add a subject. You could have a subject that intentionally you only want one other subject to be able to transition to, so if you have only a /bin object, then that's what is going to match unless you explicitly add a /bin/bash object in your case.

-Brad

Re: Subject Inheritance Question

PostPosted: Thu Dec 11, 2014 6:27 pm
by tjh
Thanks Brad.