Page 1 of 1

vserver RBAC question

PostPosted: Mon Mar 06, 2006 4:31 pm
by zaterio
I am running a kernell patched with grsec + vserver:

uname -a

Linux debian 2.6.14.7-vs2.1.0-grsec-2.1.9

I have some questions about how i can optimize the policys in grsec and vserver machine:

for example i put my box in learning mode for 2 days, in this period I do many habitual task in a vserver like: install apache, php, and that kinds off stuff, after that period I generate the policys and the system run ok, but if I want to install another vserver i need to run the learning mode again, and if i want to add a new usser in a vserver is the same.....

for another hand i have many chroot grsec options enabled:

chroot_deny_unix
chroot_enforce_chdir
chroot_deny_fchdir
chroot_deny_mknod
chroot_deny_mount
chroot_deny_pivot
chroot_deny_shmat
chroot_deny_sysctl
chroot_findtask
chroot_restrict_nice

in the host (real machine) i am not running services, the vservers will be do that...fot this reasons i im start thinking put the RBAC in disable mode ...i dont want to loose this feature of grsec, but the vserver and his behavior (like independent system) make the RBAC very difficult to implement...

the vservers run in a directory /home/vservers..¿is posible create defaults policys for all the procces run in that directorys? or ¿is posible disable the RBAC for all the procces and users runing into a vserver?, assuming the chroot restrictions of the grsec is a risk that I take...

thank in advance for any suggestion

Zaterio

sorry my poor english..from Chile