RBAC policy: template support?

Submit your RBAC policies or suggest policy improvements

RBAC policy: template support?

Postby law » Mon Jan 21, 2008 3:16 pm

Just out of curiousity, is there any provision for some rudimentary kind of templating in creating RBAC roles? Ferinstance, I think it would be super-helpful if we could just define a variable of "valid usernames", and then create one role-template for them that is smart enough to understand stuff like "home directories" being /some/path/$valid_username/blargh, instead of having to be /some/path/hardcoded.username/blargh, repeated umpty-billion times (I won't even frighten you with the vast, ugly mess that is our current production policy file. Let's just say it's 1,952,621 lines, takes 20 minutes to reload, and leave it at that)

Is something like that already available in grsec, and I just haven't found it yet?

Posts: 15
Joined: Wed Jun 27, 2007 2:21 pm

Re: RBAC policy: template support?

Postby spender » Wed Feb 13, 2008 6:11 pm

I've mentioned it many times on the forums already, but I very much doubt you need a policy of that size, if it's mostly due to the large number of users on the system. Using a combination of DAC with regular globbed RBAC rules should suit the needs of 99% of people. The only thing you can't get from this combination is making every other user's home directory hidden but the current user -- through DAC you can ensure that their directories can't be entered, however. The additional hiding restriction is mostly obfuscation anyways.

Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Return to RBAC policy development