grsecurity forums

[Komelore60]

Im trying to set up the policy so that any ip address can connect to a certain user. Example:

role thomas u
role_allow_ip 172.16.1.35/32
subject / {
/ h
/bin x
/usr h
/usr/bin h
/usr/bin/dtach x
/usr/bin/irssi x
/usr/lib r
/usr/lib64 rx
/usr/lib64/gconv h
/usr/lib64/gconv/CP1252.so rx
/usr/lib64/gconv/gconv-modules.cache r
/usr/local h
/usr/local/lib64
/usr/share h
/usr/share/irssi/themes/default.theme r
/usr/share/zoneinfo r
/var h
/var/run
/var/spool/mail
/dev
/dev/null rw
/dev/ptmx rw
/dev/pts rw
/dev/tty rw
/dev/urandom r
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/etc r
/etc/grsec h
/etc/ssh h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp/chap-secrets h
/etc/ppp/pap-secrets h
/etc/samba/smbpasswd h
/home
/home/thomas
/home/thomas/.bash_history ra
/home/thomas/irc rwc
/lib64 rx
/proc
/proc/meminfo r
/proc/sys/kernel/ngroups_max r
/proc/sys/kernel/version r
/proc/kcore h
/proc/bus h
-CAP_ALL
bind disabled
connect disabled
}

I tried to add a role_allow_ip and set it to *.*.*.*/32 but it does not identify it. Can anyone help me that has some knowledge of gradm and grsecurity. I want to make it so that if an ip address tries to connect such as 172.16.1.39 or even something outside of my network, it would allow it.
All connections are through SSH...just clearing that up
Thanks
[/quote]

[spender]

Just remove the role_allow_ip line. Without it, a role defaults to allowing all IPs.

-Brad