acl

Submit your RBAC policies or suggest policy improvements

acl

Postby piavka » Thu Oct 31, 2002 8:52 am

Hi, after reading the acl docs for several times already, and trying
to implement some acls setups,i don't understand the behaviour of grsec.
I have this setup:
/ {
/ r
/etc rx
...
}
/etc {
/etc/grsec h
}
but then executing 'gradm -E' i get the error:
Viewing access is allowed to /etc/grsec, the directory which holds ACL and ACL password information.
Why, only if i put "/etc/grsec h" in / subject it works. Is /etc subject ignored?
The same then i change the /etc subject to:
/etc o {
/ h
/etc rx
/etc/grsec h
}

another setup:
/ {
/ r
/etc rx
...
}
/etc {
/etc rwxo
}
then grsec is enabled, i can't write into /etc. again seems like /etc subject is just ignored by grsec. Why?
Please help me out.
Thanks a lot
piavka
 
Posts: 20
Joined: Tue Jul 02, 2002 10:03 am

Postby piavka » Thu Oct 31, 2002 11:38 am

I think i figured out what i was doing wrong.
If some executable (say /usr/bin/pico) tries to write into /etc
it will fail because it does not inherit the /etc subject but only /.
If the executalbe was located under /etc line /etc/lala/pico
then it could write into /etc if this is the setup:
/ {
/ r
/etc rx
...
}
/etc {
/etc rwxo
}
piavka
 
Posts: 20
Joined: Tue Jul 02, 2002 10:03 am

Postby spender » Fri Nov 01, 2002 8:31 am

i don't think you understand the ideas of subjects and objects. When you create a subject acl, it only gets applied to executed binaries. So putting a subject ACL on /etc won't do anything unless you've got a binary in /etc. Objects are the files that the process works with.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development