RBAC full learning and debian unattended upgrades

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

RBAC full learning and debian unattended upgrades

Postby jbromley » Tue Mar 07, 2017 6:19 am

The manual says to avoid any administrative tasks while RBAC full system learning is turned on.

Does anybody know if this applies to automatic upgrading of installed software via debian's unattended-upgrades?

If so can anybody offer a set of sensible defaults to add to the RBAC profile after learning is to complete so as to allow unattended upgrades without granting excessive privileges to other cron jobs? Or any options that can be provided to the system learning stage that will allow successful profiling of unattended-upgrades?

Many thanks!
jbromley
 
Posts: 1
Joined: Tue Mar 07, 2017 6:13 am

Re: RBAC full learning and debian unattended upgrades

Postby spender » Tue Mar 07, 2017 8:16 am

It's not a good idea to allow unattended upgrades -- the reason being that you can't know ahead of time what new permissions might be needed or what new libraries might be involved, so you need to be overly-permissive. Further, often the upgrade scripts will restart existing services. If you were to do something like adding an 'inherit-learn' rule to learn_config for the unattended upgrade cron script, then any restarted service would end up with the overly-permissive inherited subject for their entire lifetime. This is in contrast to the admin role (and other special roles) where once that role is exited via a shell exit or explicit unauth via gradm -u, all processes/restarted services/etc return to their original locked-down policy.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron