Subject Inheritance Question

Submit your RBAC policies or suggest policy improvements

Subject Inheritance Question

Postby tjh » Thu Dec 11, 2014 1:47 pm

Curious if this is a bug, or expected behaviour:

Code: Select all
# Role: root
subject /  {
        /
        /bin                            xri
*snip*


Having the "i" above there, overrides the next explicitly defined subject:

Code: Select all
# Role: root
subject /bin/bash o {
        /                               h
        /bin                            h


It took me a while to figure out why I'd suddenly broken my policy and why things were being logged as the default subject for root, not the /bin/bash subject:

Code: Select all
grsec: From 202.170.165.25: (root:U:/) denied access to hidden file /lib/i386-linux-gnu/i686/cmov by /bin/bash[bash:2010] uid/euid:0/0 gid/egid:0/0, parent /bin/su[su:2009] uid/euid:1000/0 gid/egid:0/0


So my question is - is this expected behaviour, a less specific subject with an inheritence rule will trump a specific subject rule?

(As soon as I removed the "i" from /bin on my default root subject I fixed my issue)
tjh
 
Posts: 102
Joined: Sat Oct 16, 2004 8:19 pm

Re: Subject Inheritance Question

Postby spender » Thu Dec 11, 2014 6:16 pm

Hi,

That's expected behavior -- there's no automatic object added to all subjects whenever you add a subject. You could have a subject that intentionally you only want one other subject to be able to transition to, so if you have only a /bin object, then that's what is going to match unless you explicitly add a /bin/bash object in your case.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Subject Inheritance Question

Postby tjh » Thu Dec 11, 2014 6:27 pm

Thanks Brad.
tjh
 
Posts: 102
Joined: Sat Oct 16, 2004 8:19 pm


Return to RBAC policy development