grsecurity forums

Skip to content

RBAC ACLs in a chroot

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

RBAC ACLs in a chroot

Postby xor » Fri Jun 22, 2007 6:41 am

Hello all

I am about to write rules for a grsec system that has an apache2 web server, mysql5 database and cron running within a chroot.

Now before I start I was wondering about a fundamental question: What paths do I use in the policy to differentiate between chroot and base system? Because the syscall that a chrooted application will issue to access, say, /etc/ssl, is actually stat(/etc/ssl), which is in reality /chroot/etc/ssl. Which of the two paths do I use in my policy?
And, other way round, how do I allow an application (vim, for example) access to /etc/ssl in the base system, but not allow it within the chroot - given that the syscall, again, will presumably be the same?

Is there any way to do this at all?

thx /markus
xor
 
Posts: 7
Joined: Wed Jul 12, 2006 6:15 am
Top

Postby spender » Sun Jun 24, 2007 8:59 pm

You use the absolute path for the file, not the one based on whatever chroot the process is currently in. In your case, this would be /chroot/etc/ssl instead of /etc/ssl.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group