RBAC policy help

Submit your RBAC policies or suggest policy improvements

RBAC policy help

Postby ominor » Fri Jun 01, 2007 9:52 pm

hi everybody ,
I;m new to grsecurity. In my system the each user has its own group e.g user1:user1 ... how it is possible to make an rbac policy to restrict their access out of their home dirs ?
Posts: 1
Joined: Fri Jun 01, 2007 9:49 pm

Postby brant » Sat Aug 25, 2007 12:42 pm

What do you mean? You want to restrict users so they only have access to his or her home directory?

Will they still have access to system-wide binaries, man pages, and libraries?

Here's a skeleton role as an example (of course, your paths may vary):

Code: Select all
role username u

subject / {

/ h

/etc h
/etc/grsec h
/etc/localtime r

/usr h
/sbin h
/usr/sbin h
/usr/local/sbin h

/proc/kcore h
/proc/bus h

/dev/mem h
/dev/port h
/dev/kmem h
/dev/grsec h

/tmp rwcd

/bin x
/usr/bin x
/usr/local/bin x

/lib x
/usr/lib x

/usr/local/share/man/whatis r


/home h
/home/username rwxcd

bind disabled
connect disabled


I'm not entirely if this is the droid you're looking for, but this role allows execution of shared binaries and libraries without allowing read access to /bin, /usr/bin, etc. Users can also execute code within his or her home dir. From here, you can enable RBAC and watch the system logs for denials. If something gets denied that shouldn't be, look at how to add it to the policy/role.
Posts: 9
Joined: Fri Feb 03, 2006 2:35 am

Return to RBAC policy development