grsec2, special roles lock acl system?

Submit your RBAC policies or suggest policy improvements

grsec2, special roles lock acl system?

Postby fd0 » Fri Jun 06, 2003 10:34 am

Hi,

I'm just playing with grsec2 and stumbled over a few things I don't understand.

The first is how do I assign a role to a user? Just by naming the role after the username on the system? What about if a user "default" exists?

The second is after setting a role named "fd0" special and trying to reload the acl-system gradm complains about using incompatible versions of grsec and gradm:

in /etc/grsec/acl (default acl, just added the role "fd0"):
Code: Select all
role fd0 suG
role_transitions admin
subject /
        /etc/grsec h
        /dev
        /dev/grsec h
        /dev/kmem h
        /dev/mem h
        /dev/port h
        /proc/kcore h
        /home/fd0 rw
        / r

        -CAP_ALL


# gradm -R
Password:
You are using incompatible versions of gradm and grsecurity.
Please update both versions to the ones available on the website.

in kern.log:
kernel: grsec: From 192.168.101.52: Failed reload of grsecurity 2.0 for (gradm:3056) uid/euid:0/0 gid/egid:0/0, parent (bash:9160) uid/euid:0/0 gid/egid:0/0

Why does the reload fail? What is the meaning of 'special' roles, apart from that they aren't assigned automatically?

Can someone perhaps post an example user role?


Anyway, I would like to express that I really love grsec, thanks a lot for your work, Brad.

- Alexander
Code: Select all
fd0
 
Posts: 6
Joined: Fri Jun 06, 2003 8:50 am

Postby spender » Fri Jun 06, 2003 6:46 pm

You can't use "s" and "u" in the role mode at the same time, the role can only either be a special role, or a user/group role, you can however use u and g in the role mode at the same time. This is most likely why you were given the error from the kernel. I'll add a more verbose error before the information is sent to the kernel, though.

The default role has no s, u, or g mode, so that is how we can tell if the role is a default role (we also check to see if you forget to add a mode to a role named something other than default). Therefore, a user role named default is fine.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby spender » Fri Jun 06, 2003 6:54 pm

Special roles are abstract entities. They don't belong to users or groups. Think of them as a classification of a task that needs to be performed. They will mostly be used in your policies as administrative accounts, as you don't want these to belong to a specific user/group, and require additional authentication to perform administrative tasks.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development