grsecurity forums

Hi,
I'm new here ;]
Could you tell me how to configure my ACL, but without any farfetched roles, groups etc. What must i do, when i only want to disable writing permission to some dirs ? Learnign mode makes too complicated rules :/. Grsec is going to be second rsbac...

Another thing:
When i've generated policies from learning mode, but than, i've added some more users to the system, have i to enable learning mode again ?
Is there way to configure group for system group 'users', which will have the same configuration, and that configuration will allow that group to work properly (no matter how many users i will add in the future, eg writing permision to /home, not specific rule assigned to each user, like /home/user, /home/user2 - learning mode generates me sth. like this)?


Sorry for my english, if something was written unclearly , tell me - i'll try to explaint what my point is ;]

fastman wrote:Learnign mode makes too complicated rules :/. Grsec is going to be second rsbac...

I think if gradm is your SECOND rbac, then you have already tackled the tough part - SELinux policies?? If that's all you want, is a couple dirs, then you could use the default policy and just pay attention to those dirs you are mentioning.

fastman wrote:Another thing:
When i've generated policies from learning mode, but than, i've added some more users to the system, have i to enable learning mode again ?

Not if the new users are doing the same thing as the old users.

fastman wrote:Is there way to configure group for system group 'users', which will have the same configuration, and that configuration will allow that group to work properly (no matter how many users i will add in the future, eg writing permision to /home, not specific rule assigned to each user, like /home/user, /home/user2 - learning mode generates me sth. like this)?

Yes, you can do that. But you will have to read an example policy for a group, and modify it to do what your users need.