grsecurity forums

Hello Brad,

Let's say i have a bunch of users all belonging to the same group.
I wish to have only one role ACL for that group, but for that to work some objects must be referenced with a variable (/home/$USER for example).

Is this viable? If so, are there any plans for implementing this on 2.0 or more in the future?

If this isn't possible/implemented, should i expect some severe performance hit running around 100 of very similar role ACL's ?

Thanks again.

It would probably be better to do a group role for your users. The DAC and MAC will work together to essentially give you what you would do with individual roles. You can use the wildcarding like /home/*/directory and such as well. Variable support isn't in yet, but it will be implemented at some point. You won't see any performance hit no matter how many rules you have. It will take a considerable amount of memory, however, to have so many roles (especially if you have a lot of large subjects in each of them), which is why i suggested the group role.

-Brad

The file structure in this case does not allow me to close things as much as i would like to if i rely on DAC. Roles is the way. Glad to know that about variable support, it's a great feature and i can't wait to try it out.

Thanks