grsecurity forums

Posted: **Fri Dec 19, 2014 2:05 pm**

Hi,

I'm attempting to write an RBAC policy for my system with ~10 odd users.

It's a mail system mostly. Mail comes in, is handed to procmail and procmail writes the mail out to /home/<username>/Maildir/

I'm trying to figure out how to have one rule that covers all users to allow for this case.

At the moment, full learning has given me a bunch of Roles, each with

Code: Select all: subject /usr/bin/procmail o { user_transition_allow the_user root nobody group_transition_allow the_user mail nogroup / h /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null a /dev/port h /etc h /etc/group r /etc/ld.so.cache r /etc/nsswitch.conf r /etc/passwd r /etc/procmailrc r /home h /home/the_user /home/the_user/.procmailrc r /home/the_user/Maildir wcdl

Is there a way I can do something like:

Code: Select all: domain mailusers user1 user2 user2 user4 user... subject /usr/bin/procmail o { user_transition_allow the_user root nobody group_transition_allow the_user mail nogroup / h /dev /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/null a /dev/port h /etc h /etc/group r /etc/ld.so.cache r /etc/nsswitch.conf r /etc/passwd r /etc/procmailrc r /home h /home/$user /home/$user/.procmailrc r /home/$user/Maildir wcdl

Having read the Wikibook, I don't think there is?
My options appear to be let procmail have write access to everything under /home, or have individual policies for each user.

Does anyone have a more optimal solution?

Thanks!

Posted: **Tue Dec 23, 2014 9:20 am**

Why not just use /home/*/whatever ? DAC should take care of the rest.

-Brad

Posted: **Tue Dec 23, 2014 8:21 pm**

Hi Brad,

Thanks for the reply - this was the solution I came up with, yeah.

Makes sense

Thanks,
tjh

grsecurity forums

RBAC Policy for Home Dir Access

RBAC Policy for Home Dir Access

Re: RBAC Policy for Home Dir Access

Re: RBAC Policy for Home Dir Access