Newbie ACL parent question

Submit your RBAC policies or suggest policy improvements

Newbie ACL parent question

Postby asok » Thu Sep 12, 2002 1:53 pm

I am very new to grsecurity, so sorry if this is a stupid question.

Is there any way to create an ACL that says that a certain subject (let's say /bin/touch) can write to a certain object (let's say /var/tmp/timestamp) only if the subject's parent is a certain other subject (let's say /usr/bin/cleverscript)?

If I understand correctly, something like
/usr/bin/cleverscript {
....
/bin/touch rxi
/var/tmp/timestamp w
....
}
is not the correct solution for me, because in this case /bin/touch may inherit several other ACLs (e.g. /usr/bin/cleverscript might have CAP_SYS_RAWIO :wink: , which I might not wish /bin/touch to inherit).

Anyway, I am starting to really enjoy grsecurity, inheritance and the learning mode are great. RBAC would be nice however...

Thanks in advance,
Akos
asok
 
Posts: 9
Joined: Thu Sep 12, 2002 1:37 pm

Postby spender » Thu Sep 12, 2002 10:43 pm

That exactly the situation I'm going to solve with the rewrite of the ACL system, which will support roles and nested ACLs.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby meyerm » Tue Sep 24, 2002 7:10 am

Ah. OK, that means for now I cannot create different ACLs for a bash started local and for a bash started by sshd, right?

And if I understood you right, this will be possible in the future. :)
Do you already know, when this will be approximately?

Thanks
meyerm
 
Posts: 15
Joined: Mon Sep 23, 2002 11:06 am

Postby spender » Tue Sep 24, 2002 10:38 am

Correct. I'm guessing this will take about a month or so. I'm completely rewriting all of grsecurity by myself, so you have to give me some time :)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby meyerm » Tue Sep 24, 2002 10:53 am

One month? Hmm, ok. *setMyStopwatch* ;)
meyerm
 
Posts: 15
Joined: Mon Sep 23, 2002 11:06 am


Return to RBAC policy development