ok then 2.0 is out but...

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

ok then 2.0 is out but...

Postby buzzzo » Sat Apr 17, 2004 10:44 am

The 1.9.x release will be available with the future release of kernels...or it is
death ?

thx & bye
buzzzo
 
Posts: 6
Joined: Tue Feb 18, 2003 12:41 pm

Re: ok then 2.0 is out but...

Postby hightower » Sat Apr 17, 2004 11:37 am

buzzzo wrote:The 1.9.x release will be available with the future release of kernels...or it is
death ?


1.9.x will be deleted within the next few months. Brad will probably fix important bugs, but yes, it'll be dead soon. Depends, if there will be another one for 2.4.27, depends when 2.4.27 will become available ;)

Anyway, you all should move to grsec2.

ciao, Marc
hightower
 
Posts: 49
Joined: Wed Mar 06, 2002 11:36 am
Location: Germany

Postby buzzzo » Sat Apr 17, 2004 1:56 pm

Mmmm ..problably this is not good for who has a lot of grsec 1.9.x in production ...anyway seems the full learning mode of 2.0 very good .....

the lack of acl 2.0 docs i think is the biggest problem for who (like me) has
written 1.9.x acl .

Thx and Ciao.
buzzzo
 
Posts: 6
Joined: Tue Feb 18, 2003 12:41 pm

Postby systemv » Sun Apr 18, 2004 11:48 am

does my 1.9.x config works on 2.0 without modification?
systemv
 
Posts: 2
Joined: Sun Apr 18, 2004 11:46 am

Postby spender » Sun Apr 18, 2004 2:38 pm

it will work with very minimal modifications. To convert your 1.9 acl to a 2.0 ruleset, follow these rules:

add an admin role at the top of /etc/grsec/acl:

Code: Select all
role admin sA
subject / r
           / rwcdmxi


Then add a default role, which will encompass all your 1.9 subjects:

Code: Select all
role default G
role_transitions admin


In 2.0, the { }'s enclosing the object definitions are not necessary, but "subject" needs to come before the pathname for the subject.
So a subject would look like:

Code: Select all
subject /bin/su
           /tmp/blah rw
           +CAP_SETUID


You also don't group together connect and bind rules with { }'s. They are now done with one connect or bind rule per line, like so:

Code: Select all
connect 192.168.1.0/24:22 stream tcp
connect 192.168.2.0/24:20-21 stream tcp
bind    0.0.0.0 stream dgram tcp udp


Additionally, since grsecurity 2.0 supports more fine grained object permissions, if a process needs to create a file, then the object needs "c" added to its object mode in addition to "w". If a process needs to delete a file, then the object needs "d" added to its object mode in addition to "w".

That's all there is to it. Except for the creation/deletion it's just formatting changes.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby olrick » Tue Apr 20, 2004 9:22 am

I followed the rules you gave to convert my 1.9 ACL into the 2.0 format and it didn't work.
As soon as I enable grsec with Gradm -E my CPU reach 100% and I get these messages in syslog :
Code: Select all
kernel: Cannot read proc file system: 1 - Operation not permitted.
last message repeated 152695 times

I tried with the default "acl" file that comes with the gradm installation, but it gives exactly the same problem.
Any idea ?
Thanks a lot
Regards
olrick
 
Posts: 1
Joined: Tue Apr 20, 2004 9:14 am


Return to RBAC policy development

cron