What do 'rwcdmlxi' variables represent?
Posted: Wed Sep 05, 2012 3:12 pmAs far as the variables found in the /etc/grsec/policy file, what do they represent:
r - read (?)
w - write (?)
c- ?
d - delete (?)
m - ?
l - ?
x - execute (?)
i - ?
If my above guesses are correct, then in order to have permission to delete files or folder in my user home directory, I would need to change the following from this:
# Role: username
subject /usr/bin/kdeinit4 o {
/home/username rw
to this:
# Role: username
subject /usr/bin/kdeinit4 o {
/home/username rwd
Is that correct? I'm totally dumb with this and the documentation is a bit over my head, although the policy file seems to have enough information to decipher how best to tweak the policies.
--------------------------------------------------------------------------------------------------------------------
EDIT-NEVERMIND:
--------------------------------------------------------------------------------------------------------------------
# new object modes:
# m -> allow creation of setuid/setgid files/directories
# and modification of files/directories to be setuid/setgid
# M -> audit the setuid/setgid creation/modification
# c -> allow creation of the file/directory
# C -> audit the creation
# d -> allow deletion of the file/directory
# D -> audit the deletion
# p -> reject all ptraces to this object
# l -> allow a hardlink at this path
# (hardlinking requires at a minimum c and l modes, and the target
# link cannot have any greater permission than the source file)
# L -> audit link creation
# new subject modes:
# O -> disable "writable library" restrictions for this task
# t -> allow this process to ptrace any process (use with caution)
# r -> relax ptrace restrictions (allows process to ptrace processes
# other than its own descendants)
# i -> enable inheritance-based learning for this subject, causing
# all accesses of this subject and anything it executes to be placed
# in this subject, and inheritance flags added to executable objects
# in this subject
# a -> allow this process to talk to the /dev/grsec device
r - read (?)
w - write (?)
c- ?
d - delete (?)
m - ?
l - ?
x - execute (?)
i - ?
If my above guesses are correct, then in order to have permission to delete files or folder in my user home directory, I would need to change the following from this:
# Role: username
subject /usr/bin/kdeinit4 o {
/home/username rw
to this:
# Role: username
subject /usr/bin/kdeinit4 o {
/home/username rwd
Is that correct? I'm totally dumb with this and the documentation is a bit over my head, although the policy file seems to have enough information to decipher how best to tweak the policies.
--------------------------------------------------------------------------------------------------------------------
EDIT-NEVERMIND:
--------------------------------------------------------------------------------------------------------------------
# new object modes:
# m -> allow creation of setuid/setgid files/directories
# and modification of files/directories to be setuid/setgid
# M -> audit the setuid/setgid creation/modification
# c -> allow creation of the file/directory
# C -> audit the creation
# d -> allow deletion of the file/directory
# D -> audit the deletion
# p -> reject all ptraces to this object
# l -> allow a hardlink at this path
# (hardlinking requires at a minimum c and l modes, and the target
# link cannot have any greater permission than the source file)
# L -> audit link creation
# new subject modes:
# O -> disable "writable library" restrictions for this task
# t -> allow this process to ptrace any process (use with caution)
# r -> relax ptrace restrictions (allows process to ptrace processes
# other than its own descendants)
# i -> enable inheritance-based learning for this subject, causing
# all accesses of this subject and anything it executes to be placed
# in this subject, and inheritance flags added to executable objects
# in this subject
# a -> allow this process to talk to the /dev/grsec device
