Inheritance in grsecurity2

Submit your RBAC policies or suggest policy improvements

Inheritance in grsecurity2

Postby RaYmAn » Sun Jul 27, 2003 1:04 pm

Hi
After getting learning acl's to work properly with grsecurity2, I finally managed to have a learnt acl that seems fairly decent.
however, i'm a bit confused about some things...
I, of course, have a default acl that allows some amount of things.
Then I have a users acl that allows a bit more.
However, I'm a bit confused about how that works...my user is in users, if I (with a program not explicitly allowed or denied) try to access some files not explicitly allowed by the / subject acl of role users but explicitly allowed by the default acl, will I get access to them then or not?
So I guess the real question is: Is there role inheritance, or is the matching limited to only the first match?
I.e. if something doesn't match in user acl (i.e. neither allowed, nor denied, will group acl be tested, and will default acl then be tested?
It makes quite a big difference wrt. duplicate entries and such (And I'm not fond of trying enabling the acl without knowing...)
Regards,
Jens Andersen
RaYmAn
 
Posts: 9
Joined: Thu Jul 10, 2003 8:08 am

Postby spender » Sun Jul 27, 2003 7:46 pm

Rule lookups will not fall back on group/default roles. The only time something similar to that will happen is when the role is applied to a user. If a user role for them exists, that will be applied, otherwise a group role if it exists, otherwise the default role. Inheritance (as it applies to configuration) is only done on a subject basis (falling back to subjects of parent paths, if they exist).

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby RaYmAn » Tue Jul 29, 2003 10:59 am

Hi
What if for example I have a group users, which my user has as 'primary' group..then I have a group trusted which grants access to a little bit more(such as gradm authentication). my user is a member of that group.
How will the matching happen then?
say I try to authenticate with gradm -a, will "users" acl be applied or will "trusted" acl be applied, and hence denied or granted access?
I'm guessing it will be "users" acl that apply..if so I have a feature request: Possibility to define sub-roles i.e. trusted role is a sub-role (group) of users, hence granting access to what 'users' give access to but also what trusted gives access to. (trusted takes preference over users since it's a sub-role)
Would that be possible?
Regards, Jens Andersen
RaYmAn
 
Posts: 9
Joined: Thu Jul 10, 2003 8:08 am

Postby spender » Tue Jul 29, 2003 12:04 pm

What you should do in that case is use the special role capability, so they can gradm -a <special role> and gain the extra privilege.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development