grsecurity forums

Since many people asks for some example-ACL, here you can find my ones.

http://people.roma2.infn.it/~claudio/en/grsec

More to come soon! hope to be useful...

Ciao, Claudio

Those rules are no good. It looks like you used the learning mode and did whatever administrative tasks you normally do. That's not how learning mode should be used. Remember, root is now not trusted, so you don't want your policy to allow him to do anything. The admin role is specifically made to do all of that administrative work.

-Brad

yes, that's what I did. But those are _not_ administrative tasks by root, are just:

- cron jobs
- correct boot/shutdown executions

So root can not even see the logs, add/remove users, start/stop daemon, go into user's directory, change any file and so on.
I used full-learning mode for many time simulating a "real use" of the server, and now they work with about 600 users. Of course this is not the "strongest" solution, but in this way the nodes work great and root can pratically do nothing...

Although the learning mode is great, it does not use inheritence which is needed here and on most computers...

sekko wrote:yes, that's what I did. But those are _not_ administrative tasks by root, are just:

- cron jobs
- correct boot/shutdown executions

From what I understand, restarting services and such should be done from your admin role. Therefore, subjects in your root role such as /etc/init.d/iptables aren't needed. When you're doing full system learning you should avoid running any administrative tasks like this.

If you need to shutdown/reboot, do it from your admin role or disable learning beforehand.