grsecurity forums

[ominor]

hi everybody ,
I;m new to grsecurity. In my system the each user has its own group e.g user1:user1 ... how it is possible to make an rbac policy to restrict their access out of their home dirs ?

[brant]

What do you mean? You want to restrict users so they only have access to his or her home directory?

Will they still have access to system-wide binaries, man pages, and libraries?

Here's a skeleton role as an example (of course, your paths may vary):

Code: Select all

role username u

subject / {

/ h

/etc h
/etc/grsec h
/etc/localtime r

/usr h
/sbin h
/usr/sbin h
/usr/local/sbin h

/proc
/proc/kcore h
/proc/bus h

/dev
/dev/mem h
/dev/port h
/dev/kmem h
/dev/grsec h
/dev/vc
/dev/vc/*
/dev/urandom

/tmp
/tmp rwcd

/bin x
/usr/bin x
/usr/local/bin x

/lib x
/usr/lib x

/usr/local/share/man
/usr/local/share/man/whatis r

/var

/home h
/home/username rwxcd

-CAP_ALL
bind disabled
connect disabled

}


I'm not entirely if this is the droid you're looking for, but this role allows execution of shared binaries and libraries without allowing read access to /bin, /usr/bin, etc. Users can also execute code within his or her home dir. From here, you can enable RBAC and watch the system logs for denials. If something gets denied that shouldn't be, look at how to add it to the policy/role.