RBAC learning mode question

Submit your RBAC policies or suggest policy improvements

RBAC learning mode question

Postby mrspaghetti » Tue Jun 19, 2012 4:54 pm

I'm new to grsec, having compiled it a couple months ago, figured out the PaX flags to get everything working, etc., and been using it ever since without RBAC.

Now I'm ready to take the next step but I'd like a little more guidance before I dive in.

The documentation says that, while in learning mode, you should authenticate to the admin role before doing administrative tasks [I've also read elsewhere that you should avoid admin tasks altogether while in learning mode]. In this context, what are considered administrative tasks? Only actions that modify the RBAC system or grsec files themselves? Or do 'administrative tasks' include anything that you would normally sudo (or su) to complete on a system without RBAC? For me, normal use includes using sudo fairly often (if only to dmesg, for example). Should I be doing that at all in learning mode? Or is it ok as long as I gradm -a admin first?

I went through the system wide learning mode once already but when I made my policy and activated RBAC it clearly wasn't right - I had to shut off the power and restart to kill RBAC and get back in control. What's the best way to 'undo' and start the learning process over? I'm assuming it is necessary to tweak the policy as generated by learning mode before activating RBAC [I didn't the first time...]

Thanks for any help in advance, and thanks to spender and all who have contributed to grsecurity/PaX in general. Better and more widespread security is hugely needed.

Regards,
spaghetti
mrspaghetti
 
Posts: 2
Joined: Tue Jun 19, 2012 4:06 pm

Re: RBAC learning mode question

Postby spender » Tue Jun 19, 2012 7:07 pm

The admin role should only be entered by the root user. Pretty much anything you as the user would do as root should be done under the admin role (otherwise you're learning to allow things an attacker with uid 0 will be able to do).

This does make me think of an idea for the future to automatically generate more complex policies: during full learning, allow a user to change to a non-existent special role with any name, thus creating a new special role in the learned policy with that name, so the full learning won't be restricted to just producing a full-privilege admin role.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: RBAC learning mode question

Postby mrspaghetti » Wed Jun 20, 2012 10:24 am

Ok, so during system wide learning, if I'm logged in as my regular user and I want to sudo (note that I'm running Ubuntu so I don't su, I sudo), first I do gradm -a admin, then sudo whatever. I assume this will set up my regular role to allow for transition to the admin role? Because I was unable to do that after my earlier attempt at learning mode.

Having gone through the learning process before and botched it, what do I need to do to reset it? Is there a default policy file elsewhere on the system that I can overwrite my botched policy file with? Or will generating a new one from learning overwrite it anyway?

Thanks,
spaghetti
mrspaghetti
 
Posts: 2
Joined: Tue Jun 19, 2012 4:06 pm

Re: RBAC learning mode question

Postby peetaur » Sun Oct 05, 2014 8:53 am

in case it is useful to others... I was also looking for answers like this and didn't find them elsewhere, and learned by tinkering instead of reading. And I'm basically still a noob, but hopefully I'm close enough.

mrspaghetti wrote:Having gone through the learning process before and botched it, what do I need to do to reset it?


To disable your rules, just do "gradm -D". And to reset it / start learning over again, you just run full learning on a new or empty log file; don't run it on an existing file or it appends to the old log. Then when you generate the policy, it won't have the old data, and you can overwrite your old botched policy file with the result.

mrspaghetti wrote:Is there a default policy file elsewhere on the system that I can overwrite my botched policy file with? Or will generating a new one from learning overwrite it anyway?


I think you don't need a default policy... full learning will not use the old policy file, and will just overwrite it (not a patch, but a replacement). But if you want the default one, you can find it in the build directory when you compiled gradm. I think it is probably installed by "make install".
peetaur
 
Posts: 23
Joined: Sat Oct 04, 2014 3:26 pm


Return to RBAC policy development