grsecurity forums

Forgive the n00bish question, but I'm a little unclear about a rather fundamental concept: Could someone explain for me the relationship between grsecurity's RBAC, ACLs, and traditional Unix file permissions?

More specifically: Does grsecurity replace the other two? Trump them? Augment them? Restrict them?

I'm about to try and set up my first hardened Gentoo system with grsecurity RBAC. Say I have some complex hierarchy of project directories intended to be used by a great variety of groups with different levels of access. Traditional permissions are not flexible enough for me, so do I go to POSIX ACLs, and then further restrict that with RBAC, or do I only use RBAC? And do the settings of the traditional file permissions even matter?

grsecurity can override any DAC/ACL policies. Its purpose isn't to replace them but to provide the ability for more fine-grained controls you can't get via ACLs or DAC. Some of these restrictions don't have to do with the filesystem at all (for instance, the ptrace restrictions enabled by default).

Think of it this way: access to a file is granted only if DAC, ACLs, and the RBAC system all approve of it.

There's also this section of the wiki that might be useful to you if you haven't seen it already: http://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System

-Brad