user processes not hidden even though configured in policy
Posted: Mon Oct 02, 2006 12:52 pmHi all
I'm having a problem with kernel 2.4.33 and grsecurity-2.1.9-2.4.33-200608131429
I need to hide all processes that belong to a specific user (processes started as Admin, then changing uid to, say, "myuser") from users in the default role. I've configured the two roles along the lines of:
and
and Admin:
but when I do a "ps aux" in the default role, I still see all of myuser's processes (all started under /opt/myuser from an init script run by Admin).
Shouldn't the "subject / dhkpv" for myuser hide all his processes except from subjects with "v" set?
thx /markus
I'm having a problem with kernel 2.4.33 and grsecurity-2.1.9-2.4.33-200608131429
I need to hide all processes that belong to a specific user (processes started as Admin, then changing uid to, say, "myuser") from users in the default role. I've configured the two roles along the lines of:
- Code: Select all
role myuser uGT
subject / dhkpv
/ rxi
/opt/myuser rwxcdliW
/opt/myuser/lib r
/home rwcd
/mnt rw
/dev
/dev/grsec h
/proc rwx
/proc/kcore h
/proc/sys r
[...]
and
- Code: Select all
role default GT
role_transitions Admin
subject / d
user_transition_deny myuser
/ r
/opt/myuser h
/opt rx
/home rwxcd
/mnt rwW
/dev
/dev/grsec h
/proc rwx
/proc/kcore h
/proc/sys r
[...]
and Admin:
- Code: Select all
role Admin sAT
subject / adkrv
/ rwxcdml
/etc rwxcdmlW
/opt/myuser rwxcdlmW
+CAP_ALL
subject /opt/myuser dhkpv
/dev/specialdevice rw
/opt/myuser rwxcdlW
/opt/myuser/tmp rwxcdlm
/opt/myuser/log rwx
but when I do a "ps aux" in the default role, I still see all of myuser's processes (all started under /opt/myuser from an init script run by Admin).
Shouldn't the "subject / dhkpv" for myuser hide all his processes except from subjects with "v" set?
thx /markus