Global + application specific policy

Submit your RBAC policies or suggest policy improvements

Global + application specific policy

Postby cm3l1k1 » Mon Dec 08, 2014 10:47 am

Hi All,

I'm working on project/distribution with high focus on security. I know that grsec policies should be as specific as possible, but I'm looking for ability to provide pre-defined set of policies for roles of the server (e.g. webserver, db server, vpn gateway, mail server, dns server, ...). Roles are managed by distribution control script, so I would know which applications will be installed and what will be their configuration.

So users would have a chance to generate own global policy, but can add as well pre-defined specific policy based on role of their server.

What are to possibilities in this case?

Main questions on my mind:
- is there a chance to have application specific policy, while rest of the system would stay unprotected?
- is there a chance to have multiple policy files (global, webserver specific, DNS server specific, ...) which are all evaluated by grsec and countermeasures applied accordingly?
- is there a chance that rules in application specific policy will overwrite those in global policy when there will be a conflict (import ordering)?

Thank you
cm3l1k1
 
Posts: 1
Joined: Mon Dec 08, 2014 9:54 am

Re: Global + application specific policy

Postby spender » Wed Dec 10, 2014 6:18 pm

grsecurity's RBAC isn't meant to be used on specific applications only.

You can include multiple policy files, and there exist subject/object flags to override previously-parsed subjects/objects of the same name. If there's any other duplication of subjects/objects, an error will be shown.

Included policy files don't need to contain entire policies themselves, but can include as little as a single line of policy. There also exists some limited support for reusable variables that contain lists of objects. You can operate on the objects with various set operations.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development

cron