RBAC ACLs in a chroot
Posted: Fri Jun 22, 2007 6:41 amHello all
I am about to write rules for a grsec system that has an apache2 web server, mysql5 database and cron running within a chroot.
Now before I start I was wondering about a fundamental question: What paths do I use in the policy to differentiate between chroot and base system? Because the syscall that a chrooted application will issue to access, say, /etc/ssl, is actually stat(/etc/ssl), which is in reality /chroot/etc/ssl. Which of the two paths do I use in my policy?
And, other way round, how do I allow an application (vim, for example) access to /etc/ssl in the base system, but not allow it within the chroot - given that the syscall, again, will presumably be the same?
Is there any way to do this at all?
thx /markus
I am about to write rules for a grsec system that has an apache2 web server, mysql5 database and cron running within a chroot.
Now before I start I was wondering about a fundamental question: What paths do I use in the policy to differentiate between chroot and base system? Because the syscall that a chrooted application will issue to access, say, /etc/ssl, is actually stat(/etc/ssl), which is in reality /chroot/etc/ssl. Which of the two paths do I use in my policy?
And, other way round, how do I allow an application (vim, for example) access to /etc/ssl in the base system, but not allow it within the chroot - given that the syscall, again, will presumably be the same?
Is there any way to do this at all?
thx /markus