learing mode for objects

Submit your RBAC policies or suggest policy improvements

learing mode for objects

Postby piavka » Tue Oct 29, 2002 11:45 am

Can the learing mode of grsec be modified so that, i could specify it for
objects too, for example:

/ {
/ r
/usr rl <-----
/etc rx
/etc/grsec h
....
}

this way i don't need to allow learing mode for the whole /, since this way i
can protect other directories and not leave all the system open, like
/ l {
/ r
/usr r
/etc rx
/etc/grsec h
....
}

or is there some workarount to get this functionality?

ps. As i understand this setup
/ {
/ r
/usr rl
/etc rx
/etc/grsec h
....
}
/usr lo {
/usr r
}

is illegal.

Thanks
piavka
 
Posts: 20
Joined: Tue Jul 02, 2002 10:03 am

Postby spender » Tue Oct 29, 2002 5:28 pm

what you probably want is this:

/usr l {
}

subjects can be both files and directories.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby piavka » Wed Oct 30, 2002 9:05 am

Thanks, removing the o option from subject (then subject is a dirctory
solved my problem). But why can't i specify the o option for a dirctory subject?
If i do like this:
/usr lo {
}
gradm says that /usr has no default acl, and i thought that
/ {
....
}
should be default acl for all it's subdirectories subjects too, not only for the executable subjects, isn't it so?

another question is: if i have
/ {
/usr/kkk rx
....
}
/usr l {
/usr r
}
if some process needs to write into /usr/kkk, will it be able to do so?
I mean which object will be used for authentication?
/usr/kkk rx
or
/usr r

If "/usr r" is used then the process will be able to write into /usr/kkk,
because /usr subject is in learning mode. But i need that "/usr/kkk rx"
will be used from the / subject and deny the write.

Thanks.
piavka
 
Posts: 20
Joined: Tue Jul 02, 2002 10:03 am

Postby spender » Wed Oct 30, 2002 9:45 am

if you specify o in the subject mode, you need to at least provide a rule for /. Specifying o in the subject mode means you don't want to inherit any ACLs from parent directories. So what you would need is at least:

/usr lo {
/ h
}

or whatever you want the default rule for / to be.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby piavka » Wed Oct 30, 2002 10:03 am

regarding my second question:
I don't want processes to be able to write into /usr/kkk
and i have this setup:
/ {
/usr/kkk rx
....
}
/usr l {
/usr r
}
would expand /usr to the following, once inheritance was calculated:
/usr l {
/usr r
/usr/kkk rx
}
yes or no??????
if yes,then processes will be able to write into /usr/kkk, because /usr subject is in learing mode. yes or no???

If prcoesses are able to write into /usr/kkk, how should i change the setup
ot deny it?
Thanks a lot.
piavka
 
Posts: 20
Joined: Tue Jul 02, 2002 10:03 am


Return to RBAC policy development

cron